https://community.cisco.com/t5/network-security/acl-on-asa/m-p/2860072#M171779 <P>Hi,</P> <P>&nbsp;</P> <P>Please help me to understand how the acl works on asa code 9.x</P> <P>&nbsp;</P> <P>If i want to block a host (<SPAN>172.16.10.250) </SPAN>from dmz&nbsp; zone to outside (internet access ) and rest of the network should access .How can i do that ?</P> <P>&nbsp;</P> <P>Which acl&nbsp; from&nbsp; below (1,2,3 &amp;4 ) will do that ?</P> <P>&nbsp;</P> <P>Is it possible i can&nbsp; do it in <SPAN>Outside_acl (2,3,&amp;4 )</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Dmz host</P> <P>172.16.10.250</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>object network Obj-172.16.10.250</P> <P>host 172.16.10.250</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>access-group Outside_acl in interface Outside</P> <P>access-group DMZ_acl in interface DMZ</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>1)</P> <P>access-list DMZ_acl extended deny ip host 172.16.10.250 interface Outside</P> <P>access-list DMZ_acl extended permit ip any any</P> <P>access-list DMZ_acl extended deny ip any any</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>2)</P> <P>access-list Outside_acl extended deny ip any host 172.16.10.250</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>3)</P> <P>access-list Outside_acl extended deny ip host 172.16.10.250 any</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>4)</P> <P>access-list Outside_acl extended deny ip any object Obj-172.16.10.250</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Please help</P> <P>&nbsp;</P> <P>Thanks</P> Tue, 12 Mar 2019 07:29:45 GMT elite2010 2019-03-12T07:29:45Z https://community.cisco.com/t5/network-security/acl-on-asa/m-p/2860072#M171779 <P>Hi,</P> <P>&nbsp;</P> <P>Please help me to understand how the acl works on asa code 9.x</P> <P>&nbsp;</P> <P>If i want to block a host (<SPAN>172.16.10.250) </SPAN>from dmz&nbsp; zone to outside (internet access ) and rest of the network should access .How can i do that ?</P> <P>&nbsp;</P> <P>Which acl&nbsp; from&nbsp; below (1,2,3 &amp;4 ) will do that ?</P> <P>&nbsp;</P> <P>Is it possible i can&nbsp; do it in <SPAN>Outside_acl (2,3,&amp;4 )</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Dmz host</P> <P>172.16.10.250</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>object network Obj-172.16.10.250</P> <P>host 172.16.10.250</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>access-group Outside_acl in interface Outside</P> <P>access-group DMZ_acl in interface DMZ</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>1)</P> <P>access-list DMZ_acl extended deny ip host 172.16.10.250 interface Outside</P> <P>access-list DMZ_acl extended permit ip any any</P> <P>access-list DMZ_acl extended deny ip any any</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>2)</P> <P>access-list Outside_acl extended deny ip any host 172.16.10.250</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>3)</P> <P>access-list Outside_acl extended deny ip host 172.16.10.250 any</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>4)</P> <P>access-list Outside_acl extended deny ip any object Obj-172.16.10.250</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Please help</P> <P>&nbsp;</P> <P>Thanks</P> Tue, 12 Mar 2019 07:29:45 GMT https://community.cisco.com/t5/network-security/acl-on-asa/m-p/2860072#M171779 elite2010 2019-03-12T07:29:45Z https://community.cisco.com/t5/network-security/acl-on-asa/m-p/2860073#M171780 <P>Hi,</P> <P></P> <P>ACL's on the 9.x code work the same as they used to work on the <G class="gr_ gr_63 gr-alert gr_spell undefined ContextualSpelling ins-del multiReplace" id="63" data-gr-id="63">prevous</G> codes.</P> <P></P> <P>You would need the option 1 to deny access to <G class="gr_ gr_100 gr-alert gr_gramm undefined Grammar multiReplace" id="100" data-gr-id="100">internet</G>.</P> <P></P> <P>You do not need the keyword outside interface on the ACL.</P> <P></P> <P>access-list DMZ_acl extended deny <G class="gr_ gr_130 gr-alert gr_spell undefined ContextualSpelling ins-del multiReplace" id="130" data-gr-id="130">ip</G> host 172.16.10.250 any</P> <P>access-list DMZ_acl extended permit <G class="gr_ gr_131 gr-alert gr_spell undefined ContextualSpelling ins-del multiReplace" id="131" data-gr-id="131">ip</G> <G class="gr_ gr_142 gr-alert gr_spell undefined ContextualSpelling only-del replaceWithoutSep" id="142" data-gr-id="142">any any</G></P> <P>access-list DMZ_acl extended deny <G class="gr_ gr_132 gr-alert gr_spell undefined ContextualSpelling ins-del multiReplace" id="132" data-gr-id="132">ip</G> <G class="gr_ gr_141 gr-alert gr_spell undefined ContextualSpelling only-del replaceWithoutSep" id="141" data-gr-id="141">any any</G></P> <P>&nbsp;</P> <P>Also no need to add deny <G class="gr_ gr_174 gr-alert gr_spell undefined ContextualSpelling ins-del multiReplace" id="174" data-gr-id="174">ip</G> <G class="gr_ gr_191 gr-alert gr_spell undefined ContextualSpelling only-del replaceWithoutSep" id="191" data-gr-id="191">any any</G> as you are already permitting <G class="gr_ gr_209 gr-alert gr_spell undefined ContextualSpelling ins-del multiReplace" id="209" data-gr-id="209">ip</G>&nbsp;any any in the line above it.</P> <P></P> <P>You can use a packet-tracer command to validate the rules.</P> <P></P> <P>packet-tracer input <G class="gr_ gr_289 gr-alert gr_spell undefined ContextualSpelling ins-del multiReplace" id="289" data-gr-id="289">dmz</G>&nbsp;<G class="gr_ gr_293 gr-alert gr_spell undefined ContextualSpelling ins-del multiReplace" id="293" data-gr-id="293">icmp</G>&nbsp;172.16.10.250 8 0 4.2.2.2 detailed</P> <P></P> <P>You should see ACL denying the traffic.</P> <P></P> <P>Regards</P> <P></P> <P>Aditya</P> <P></P> <P>Please rate helpful posts.</P> Wed, 16 Mar 2016 06:30:27 GMT https://community.cisco.com/t5/network-security/acl-on-asa/m-p/2860073#M171780 Aditya Ganjoo 2016-03-16T06:30:27Z https://community.cisco.com/t5/network-security/acl-on-asa/m-p/2860074#M171781 <P>Thanks Adithya,</P> <P></P> <P><SPAN>" access-list DMZ_acl extended deny ip host 172.16.10.250 any"</SPAN></P> <P><SPAN>if I put any instead of outside interface , the host wont be able to communicate inside zone also</SPAN></P> <P><SPAN>correct me if &nbsp;i am wrong&nbsp;</SPAN></P> <P><SPAN>Thanks</SPAN></P> Wed, 16 Mar 2016 06:48:03 GMT https://community.cisco.com/t5/network-security/acl-on-asa/m-p/2860074#M171781 elite2010 2016-03-16T06:48:03Z https://community.cisco.com/t5/network-security/acl-on-asa/m-p/2860075#M171782 <P>Hi,</P> <P></P> <P></P> <P><G class="gr_ gr_88 gr-alert gr_gramm undefined Punctuation only-ins replaceWithoutSep" id="88" data-gr-id="88">Yes</G> you are correct.</P> <P></P> <P>Regards,</P> <P></P> <P>Aditya</P> <P></P> <P>Please rate helpful posts and mark correct answers.</P> Wed, 16 Mar 2016 06:53:13 GMT https://community.cisco.com/t5/network-security/acl-on-asa/m-p/2860075#M171782 Aditya Ganjoo 2016-03-16T06:53:13Z