topic Re: Block IP range on ASA 5510 (version 8.3) in Network Security

Block IP range on ASA 5510 (version 8.3)

jerrybu01 — Tue, 12 Mar 2019 01:09:48 GMT

Hi everyone,

I don't know how to config on my ip range (192.168.172.0/24).

object network FULL-IP-INTERNET "(allow full internet)

range 192.168.172.1 192.168.172.20

NAT (inside,outside) ...

Access-list ....

object network DENY-IP-INTERNET "(limited internet)

range 192.168.172.21 192.168.172.254

NAT (inside,outside) ...

Access-list ....

Help me to complete configuration!

Block IP range on ASA 5510 (version 8.3)

jocamare — Tue, 05 Mar 2013 03:12:47 GMT

What do you mean by "limited internet"?

You can have just one nat rule for the entire subnet and then just use acl to limit the resources they can access or not.

Re: Block IP range on ASA 5510 (version 8.3)

Julio Carvajal — Tue, 05 Mar 2013 03:12:57 GMT

Hello Nguyen,

First of all what would be the traffic you want to restrict from the Deny_IP_Internet group

Let's say you will only allow TCP port 80 traffic from that group

nat (inside,outside) source dynamic any interface

access-list Inside_in permit ip object FULL-IP-INTERNET any

access-list Inside_in permit tcp object DENY-IP-INTERNET any eq 80

access-list Inside_in deny ip object DENY-IP-INTERNET any

access-group Inside_in in interface inside

Regards,

Remember to rate all of the helpful posts

Julio Carvajal

Block IP range on ASA 5510 (version 8.3)

jerrybu01 — Tue, 05 Mar 2013 03:20:10 GMT

"limited internet" mean the ip range (range 192.168.172.21 192.168.172.254) don't access full internet, they can access some website like "https://supportforums.cisco.com", email

Re: Block IP range on ASA 5510 (version 8.3)

Julio Carvajal — Tue, 05 Mar 2013 03:21:54 GMT

Then you must use:

Regex with HTTP inspection or DNS inspection

Example blocking facebook via HTTP inspection

regex block_url facebook.com

access-list TEST extended permit tcp any any eq www (modify this to match

the subnet)

class-map type regex match-any block_url

match regex block_url

class-map http-80

match access-list TEST

policy-map type inspect http block_url_facebook

parameters

match request header host regex class block_url

drop-connection log

policy-map global_policy

class http-80

inspect http block_url_facebook

Or an ACL with FQDN...

http://blog.networkbits.es/?p=507

That basically would be your options on this scenario

Block IP range on ASA 5510 (version 8.3)

jocamare — Tue, 05 Mar 2013 03:24:21 GMT

You can use only one nat statement for the whole subnet and use acls to limit the traffic the addresses in that range can send/receive.

If you want to allow/permit some websites, you can use URL filtering. The email thing can be done with just acls.

Block IP range on ASA 5510 (version 8.3)

jerrybu01 — Tue, 05 Mar 2013 03:28:48 GMT

Hello Jcarvaja,

If i want to block many webpages i create a lot of lines, it's not ok.

I mean, whitelist <

Block IP range on ASA 5510 (version 8.3)

jocamare — Tue, 05 Mar 2013 03:30:41 GMT

Get a webfilter, HTTP proxy or a CSC module for the asa.

Block IP range on ASA 5510 (version 8.3)

Julio Carvajal — Tue, 05 Mar 2013 03:32:04 GMT

Hello,

You have many options to filter HTTP/HTTPS traffic on an ASA .

If you do not want do do it manually as I said before then you can use the CSC module , a websense server, the scansafe services, the botnet whitelist/blacklist option

I mean it's all up to you....

Block IP range on ASA 5510 (version 8.3)

jerrybu01 — Tue, 05 Mar 2013 04:07:22 GMT

Hello jcarvaja,

ASA5510(config)# object network FULL-IP-INTERNET

ASA5510(config-network-object)# range 192.168.172.1 192.168.172.20

ASA5510(config-network-object)# nat (inside,outside) source dynamic any interface

ASA5510(config)# access-list inside_in permit ip object FULL-IP-INTERNET any

ASA5510(config)# object network DENY-IP-INTERNET

ASA5510(config-network-object)# range 192.168.172.21 192.168.172.254

ASA5510(config-network-object)# nat (inside,outside) source dynamic any interface

ASA5510(config)#access-list Inside_in permit tcp object DENY-IP-INTERNET any eq 80

ASA5510(config)#access-list inside_access_out permit tcp any any eq 25

ASA5510(config)#access-list inside_access_out permit tcp any any eq 110

ASA5510(config)#access-list Inside_in deny ip object DENY-IP-INTERNET any

ASA5510(config)#access-group Inside_in in interface inside

Is this right?

Additional, i want IPs in"DENY-IP-INTERNET" zone to open 2 webpages like: cisco.com, flpvn.com. How can i config them?

Block IP range on ASA 5510 (version 8.3)

Julio Carvajal — Tue, 05 Mar 2013 04:59:40 GMT

Hello Nguyen,

For that and to make it simple you can configure FQDN:

In this scenario let's say we are going to use 4.2.2.2 as the ASA dns server..

domain-name test.com

dns domain-lookup outside

DNS server-group DefaultDNS

name-server 4.2.2.2

domain-name csc.com

Then

object network host-Cisco.com

fqdn cisco.com

object network host-flvpn.com

fqdn flvpn.com

access-list Inside_in line 1 permit tcp any object host-Cisco.com

access-list Inside_in line 2 permit tcp any object host-flvpn.com

access-list Inside_in line 3 deny ip object DENY-IP-INTERNET any

access-list Inside_in line 4 permit ip any any

access-group Inside_in in interface inside

Hey Nguyen please check your inbox here on the CSC, I have sent you a message

Regards

Julio Carvajal