topic Cisco ASA - Negate Firewall Objects/Groups/Rules in Network Security

Cisco ASA - Negate Firewall Objects/Groups/Rules

Kevin_W — Tue, 12 Mar 2019 07:29:01 GMT

Hello,

Are there any possibilites to negate objects or groups on the Cisco ASA firewall?
E.g. I would like to make an object/group for all not private IP addresses (so a group for "Internet").
With this I could say that host A should only be able to access the Internet but no internal ressources.

On other firewall manufacturer you can work with negated groups, but on the ASA I only know the workaround like below.

I know that I could make a workaround and use the top-down principle. I can say:
rule 1: Host A is not allow to access the private networks
rule 2: Host A is allowed to access any (the rest - the Internet)

Thanks in advance

Best regards

I have tried now an other

Kevin_W — Mon, 14 Mar 2016 15:29:15 GMT

I have tried now an other workaround:
I made a group with all public IP ranges/addresses.

This seems to be working too, but I would appreciate if you have a solution with to negate objects/groups.

Thanks in advance

Re: Cisco ASA - Negate Firewall Objects/Groups/Rules

KwameB876 — Fri, 16 Mar 2018 17:02:07 GMT

It's hard to believe that this option isn't available for the ASA.

Re: Cisco ASA - Negate Firewall Objects/Groups/Rules

Florin Barhala — Mon, 19 Mar 2018 10:41:31 GMT

I ll just bump this thread. I am also interested in this feature especially after working many years with Checkpoint FWs.

Re: Cisco ASA - Negate Firewall Objects/Groups/Rules

normanksmith — Mon, 08 Apr 2019 18:42:01 GMT

It's a year later for this thread, checking if the negate is now available in ASA?

I am migratign several CheckPoints to ASA 5525-X and the negate cell is pretty convenient.

I would keep it instead of the deny/accept option.

Re: I have tried now an other

Josiane de Barros Silva — Tue, 09 Apr 2019 11:55:27 GMT

Hi @Kevin_W

You could share with me the way you tried to deny these groups, if you prefer, you can send them in private, so that I can test and tell you if it is possible.

Josiane de Barros

Twitter: SecureGirlNinja

Re: Cisco ASA - Negate Firewall Objects/Groups/Rules

Kevin_W — Tue, 09 Apr 2019 12:47:54 GMT

Hello everybody,

I have made a group object with following IP ranges inside:

0.0.0.0 - 9.255.255.255

11.0.0.0 126.255.255.255

129.0.0.0-169.253.255.255

172.32.0.0-191.0.1.255

192.0.3.0-192.88.98.255

192.88.100.0-192.167.255.255

192.169.0.0-198.17.255.255

198.20.0.0-223.255.255.255

So if you want to permit e.g. a client to access ONLY the internet and not any internal ressources, you can use this group for the permit rule.

Re: Cisco ASA - Negate Firewall Objects/Groups/Rules

Josiane de Barros Silva — Tue, 09 Apr 2019 13:39:02 GMT

Hi @Kevin_W

could share Show running-config. To understand how it is today.

Best Regards,

Josiane

Twitter: SecureGirlNinja

Re: Cisco ASA - Negate Firewall Objects/Groups/Rules

Kevin_W — Wed, 10 Apr 2019 05:47:03 GMT

Hi Josiane,

object-group network Internet
network-object object PUBLIC_RANGE_Internet_1
network-object object PUBLIC_RANGE_Internet_6
network-object object PUBLIC_RANGE_Internet_5
network-object object PUBLIC_RANGE_Internet_4
network-object object PUBLIC_RANGE_Internet_3
network-object object PUBLIC_RANGE_Internet_2
network-object object PUBLIC_RANGE_Internet_7
network-object object PUBLIC_RANGE_Internet_8
network-object object PUBLIC_RANGE_Internet_9

object network PUBLIC_RANGE_Internet_1
range 0.0.0.0 9.255.255.255
object network PUBLIC_RANGE_Internet_2
range 11.0.0.0 126.255.255.255
object network PUBLIC_RANGE_Internet_3
range 129.0.0.0 169.253.255.255
object network PUBLIC_RANGE_Internet_4
range 169.255.0.0 172.15.255.255
object network PUBLIC_RANGE_Internet_5
range 172.32.0.0 191.0.1.255
object network PUBLIC_RANGE_Internet_6
range 192.0.3.0 192.88.98.255
object network PUBLIC_RANGE_Internet_7
range 192.88.100.0 192.167.255.255
object network PUBLIC_RANGE_Internet_8
range 192.169.0.0 198.17.255.255
object network PUBLIC_RANGE_Internet_9
range 198.20.0.0 223.255.255.255

Re: Cisco ASA - Negate Firewall Objects/Groups/Rules

Josiane de Barros Silva — Wed, 10 Apr 2019 17:22:31 GMT

Hi @Kevin_W

Attached is the photo of the configuration made in our firewall.

if my answer was helpful to you, check it out as helpful so others can be helped.

Best Regards

Josiane

Twitter :SecureGirlNinja