https://community.cisco.com/t5/network-security/access-group-command-on-asa/m-p/2066612#M396765 <HTML><HEAD></HEAD><BODY><P>Hi Jennifer,</P><P></P><P>I am new to ASA&nbsp; world but have to learn now as new job we have few ASAs.</P><P>It is very good that we have people like you in this forum who can answer the questions and we can understand the</P><P>concept better.</P><P></P><P>Thanks a lot.</P><P></P><P>Regards</P><P>Mahesh</P></BODY></HTML> Fri, 26 Oct 2012 04:51:54 GMT mahesh18 2012-10-26T04:51:54Z https://community.cisco.com/t5/network-security/access-group-command-on-asa/m-p/2066607#M396760 <P>hi all,</P><P></P><P>Need&nbsp; to confirm if this is right way to use ACL&nbsp; to block specfic user from accessing www</P><P></P><P>Config 1</P><P></P><P>access-list BLOCK extended deny tcp host 192.168.1.1 any eq www log</P><P></P><P>access-group BLOCK in interface inside</P><P></P><P>Here IP 192.168.1.1 is used as source&nbsp; which is&nbsp; inside interface of ASA .</P><P></P><P>Now host PC 192.168.1.6 is not able to access internet but hit count does not increment stays at zero need to know why?</P><P></P><P>Config 2</P><P></P><P>When i use source IP&nbsp; of PC then user PC is still able to access the internet .</P><P></P><P>Thanks</P><P></P><P>Mahesh Parmar</P> Tue, 12 Mar 2019 00:14:20 GMT https://community.cisco.com/t5/network-security/access-group-command-on-asa/m-p/2066607#M396760 mahesh18 2019-03-12T00:14:20Z https://community.cisco.com/t5/network-security/access-group-command-on-asa/m-p/2066608#M396761 <HTML><HEAD></HEAD><BODY><P>If you would like to block host 192.168.1.6 from accessing the web, then you would need to configure the following:</P><P></P><P>access-list BLOCK extended deny tcp host 192.168.1.6 any eq www log</P><P>access-list BLOCK extended permit ip any any</P><P></P><P>The second line is to ensure that everything else is permitted to go out to the internet. Because by default there is an implicit deny ip any any at the end of an access-list.</P></BODY></HTML> Fri, 26 Oct 2012 03:11:07 GMT https://community.cisco.com/t5/network-security/access-group-command-on-asa/m-p/2066608#M396761 Jennifer Halim 2012-10-26T03:11:07Z https://community.cisco.com/t5/network-security/access-group-command-on-asa/m-p/2066609#M396762 <HTML><HEAD></HEAD><BODY><P>Hi Jennifer,</P><P></P><P>Thanks for reply so i do not need to use the access-group command then ?</P><P>Can you please tell then when we use access-group command in ASA ?</P><P></P><P>Mahesh</P></BODY></HTML> Fri, 26 Oct 2012 03:13:51 GMT https://community.cisco.com/t5/network-security/access-group-command-on-asa/m-p/2066609#M396762 mahesh18 2012-10-26T03:13:51Z https://community.cisco.com/t5/network-security/access-group-command-on-asa/m-p/2066610#M396763 <HTML><HEAD></HEAD><BODY><P>Hi Jennifer,</P><P></P><P>I applied the following config </P><P></P><P></P><P>access-list BLOCK extended deny tcp host 192.168.1.7 any eq www log</P><P>access-list BLOCK extended permit tcp any any</P><P></P><P></P><P>access-group BLOCK out interface outside</P><P></P><P>Now user PC is unable to access www&nbsp; but when i do sh access-list&nbsp; i see hit counters stay at zero it does not increment</P><P>can you please tell why ?</P><P></P><P>Thanks</P><P></P><P>Mahesh</P></BODY></HTML> Fri, 26 Oct 2012 03:38:34 GMT https://community.cisco.com/t5/network-security/access-group-command-on-asa/m-p/2066610#M396763 mahesh18 2012-10-26T03:38:34Z https://community.cisco.com/t5/network-security/access-group-command-on-asa/m-p/2066611#M396764 <HTML><HEAD></HEAD><BODY><P>The reason why is normally DNS resolution happens first, before the user can access the internet.</P><P>Since you are not permitting udp any any, then the hitcount for denying the WWW still shows zero since it doesn't even get into that stage.</P><P></P><P>If you also include:</P><P></P><P>access-list BLOCK extended permit udp any any</P><P></P><P>Then you will see hitcount on the udp as well as the deny for that host on www.</P></BODY></HTML> Fri, 26 Oct 2012 03:41:11 GMT https://community.cisco.com/t5/network-security/access-group-command-on-asa/m-p/2066611#M396764 Jennifer Halim 2012-10-26T03:41:11Z https://community.cisco.com/t5/network-security/access-group-command-on-asa/m-p/2066612#M396765 <HTML><HEAD></HEAD><BODY><P>Hi Jennifer,</P><P></P><P>I am new to ASA&nbsp; world but have to learn now as new job we have few ASAs.</P><P>It is very good that we have people like you in this forum who can answer the questions and we can understand the</P><P>concept better.</P><P></P><P>Thanks a lot.</P><P></P><P>Regards</P><P>Mahesh</P></BODY></HTML> Fri, 26 Oct 2012 04:51:54 GMT https://community.cisco.com/t5/network-security/access-group-command-on-asa/m-p/2066612#M396765 mahesh18 2012-10-26T04:51:54Z https://community.cisco.com/t5/network-security/access-group-command-on-asa/m-p/2066613#M396766 <HTML><HEAD></HEAD><BODY><P>Thanks Mahesh. Good to hear that you have learnt through the forum.</P></BODY></HTML> Fri, 26 Oct 2012 04:54:04 GMT https://community.cisco.com/t5/network-security/access-group-command-on-asa/m-p/2066613#M396766 Jennifer Halim 2012-10-26T04:54:04Z