topic Re: New ASA user deny access to 2 hosts in Network Security

New ASA user deny access to 2 hosts

scotts — Fri, 21 Feb 2020 09:26:56 GMT

I'm very new to managing Cisco equipment. I was given and pre-configured ASA5510 and I was recently asked to block external access to 2 hosts on my network. I created a network/host group and added those 2 hosts to that group. I then created a rule in my acl to block access for that group outgoing from the dest interface. My second rule in that acl will allow access from my private subnet to any incoming from the src interface. When I applied these rules the entire subnet lost connectivity. could anyone lend me some assistance with this or perhaps point me in the right direction?

Thanks in advance.

Re: New ASA user deny access to 2 hosts

acomiskey — Fri, 16 Mar 2007 00:52:13 GMT

Hard to understand which direction/interface you applied these. Could you post your acl's and also your access-group statements. Also explain who is supposed to be blocked.

Re: New ASA user deny access to 2 hosts

scotts — Fri, 16 Mar 2007 16:09:00 GMT

I apologize in advance if this is not what your looking for... But here goes

object-group network Surveilance

network-object Surv01-w2kd 255.255.255.255

network-object Surv02-w2kd 255.255.255.255

access-list inside_nat0_outbound extended permit ip any 192.168.224.16 255.255.255.240

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list dmz-in extended permit ip 10.0.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list dmz-in extended permit ip 10.0.1.0 255.255.255.0 any

access-list split extended permit ip 192.168.1.0 255.255.255.0 192.168.224.0 255.255.255.0

access-list split extended permit ip 192.168.224.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list split extended permit ip 10.0.0.0 255.0.0.0 192.168.224.0 255.255.255.0

access-list split extended permit ip 192.168.224.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list split extended permit ip host 162.XX.XX.X 192.168.224.0 255.255.255.0

access-list split extended permit ip 192.168.224.0 255.255.255.0 host 162.XX.XX.X

access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any

access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list dmz_access_out extended permit ip 192.168.1.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list outside_access_out extended permit ip any any

access-list mail_access_in extended permit tcp any host 162.XX.XXX.XX eq smtp

pager lines 24

logging enable

logging timestamp

logging emblem

logging list VPNLogs level notifications class vpn

logging asdm-buffer-size 512

logging console emergencies

logging monitor warnings

logging buffered notifications

logging trap notifications

logging asdm warnings

logging from-address adsm@XXXXXXX.com

logging recipient-address sXXXXs@XXXXXXX.com level errors

logging queue 0

logging host inside 192.168.1.89 format emblem

mtu inside 1500

mtu outside 1500

mtu management 1500

mtu dmz 1500

ip local pool VPN-Pool 192.168.224.16-192.168.224.31

no failover

asdm image disk0:/asdm506.bin

asdm history enable

arp timeout 14400

global (outside) 4 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 4 0.0.0.0 0.0.0.0

nat (dmz) 4 10.0.1.0 255.255.255.0

static (inside,outside) 162.XX.XX.X 192.168.1.4 netmask 255.255.255.255

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (inside,outside) 162.XX.XX.X 192.168.1.3 netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group inbound in interface outside

access-group outside_access_out out interface outside

access-group dmz-in in interface dmz

I've done all of my configuration via ASDM, I want to deny access to the Surveilance group I noticed here that the ip's are not assigned to the hosts in that group, It appears that ASDM has ignored the ip address and inserted on the subnet mask. When I pull that group back up in ASDM the IPs appear as normal.

Re: New ASA user deny access to 2 hosts

acomiskey — Fri, 16 Mar 2007 17:05:31 GMT

If I understand you correctly, you want to prevent inside users from going outside?

Re: New ASA user deny access to 2 hosts

scotts — Fri, 16 Mar 2007 17:14:16 GMT

Yes you understand me correctly. I don't make the policies I just enforce them.

Re: New ASA user deny access to 2 hosts

acomiskey — Fri, 16 Mar 2007 17:22:28 GMT

I wasn't questioning you, just making sure I knew what you wanted to accomplish. So you created an access-list and applied it into the inside interface right? As soon as you do that, and put your denies in, you must put a permit ip any any at the end. There is always an explicit deny at the end of your acl. Which of course is ok, if that is your intention, but if not you must add the permit. Make sense?

access-list inside_in extended deny ip any

access-list inside_in extended permit ip any any

access-group inside_in in interface inside

Re: New ASA user deny access to 2 hosts

scotts — Fri, 16 Mar 2007 17:26:25 GMT

yes that makes sense. Let me toss you a curveball if I may. Is it possible to limit these denies to specific times. I.E. and I know this is probably not the correct format but

access-list inside_in extended deny ip any 17:00 - 07:59

Re: New ASA user deny access to 2 hosts

acomiskey — Fri, 16 Mar 2007 17:39:12 GMT

Yes, it's possible.

Define your time-range...

http://cisco.com/en/US/products/ps6120/products_command_reference_chapter09186a008063f103.html#wp1385822

Then you can use it on the acl

access-list inside_in extended deny ip any time-range

Re: New ASA user deny access to 2 hosts

scotts — Fri, 16 Mar 2007 17:44:41 GMT

Great, thanks for all your help!

Re: New ASA user deny access to 2 hosts

acomiskey — Fri, 16 Mar 2007 17:47:14 GMT

No problem, please rate if they helped.