https://community.cisco.com/t5/network-security/block-internet-access-cisco-asa/m-p/3864090#M6096 <P>Hello;</P><DIV>I'm new to IT security world and Cisco as well.</DIV><DIV>I want to block my inside network (servers) to access the outside world (internet) which is allowed by default in factory-default config of asa 5505.</DIV><DIV>It is how I get it done:</DIV><DIV><DIV><DIV>ciscoasa(config)# object network insidenet</DIV><DIV>ciscoasa(config-network-object)# subnet 192.168.1.0 255.255.255.0</DIV><DIV>ciscoasa(config-network-object)# exit</DIV><DIV>ciscoasa(config)# access-list Restrictinsidenet extended deny ip object insidenet any</DIV><DIV>ciscoasa(config)# access-g Restrictinsidenet out interface outside</DIV></DIV><DIV>&nbsp;</DIV><DIV>is it ok?</DIV><DIV>I will appreciate sharing your ideas with me.</DIV><DIV>Thank you so much. Good luck.</DIV><DIV>BR/</DIV></DIV> Fri, 21 Feb 2020 17:10:33 GMT AliMahm00di 2020-02-21T17:10:33Z https://community.cisco.com/t5/network-security/block-internet-access-cisco-asa/m-p/3864090#M6096 <P>Hello;</P><DIV>I'm new to IT security world and Cisco as well.</DIV><DIV>I want to block my inside network (servers) to access the outside world (internet) which is allowed by default in factory-default config of asa 5505.</DIV><DIV>It is how I get it done:</DIV><DIV><DIV><DIV>ciscoasa(config)# object network insidenet</DIV><DIV>ciscoasa(config-network-object)# subnet 192.168.1.0 255.255.255.0</DIV><DIV>ciscoasa(config-network-object)# exit</DIV><DIV>ciscoasa(config)# access-list Restrictinsidenet extended deny ip object insidenet any</DIV><DIV>ciscoasa(config)# access-g Restrictinsidenet out interface outside</DIV></DIV><DIV>&nbsp;</DIV><DIV>is it ok?</DIV><DIV>I will appreciate sharing your ideas with me.</DIV><DIV>Thank you so much. Good luck.</DIV><DIV>BR/</DIV></DIV> Fri, 21 Feb 2020 17:10:33 GMT https://community.cisco.com/t5/network-security/block-internet-access-cisco-asa/m-p/3864090#M6096 AliMahm00di 2020-02-21T17:10:33Z https://community.cisco.com/t5/network-security/block-internet-access-cisco-asa/m-p/3864112#M6099 <P>&nbsp;</P> <P>You would be better to apply the acl to the inside interface ie. -&nbsp;</P> <P>&nbsp;</P> <P><SPAN>access-group Restrictinsidenet in interface inside&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>Jon</SPAN></P> Tue, 28 May 2019 21:15:09 GMT https://community.cisco.com/t5/network-security/block-internet-access-cisco-asa/m-p/3864112#M6099 Jon Marshall 2019-05-28T21:15:09Z https://community.cisco.com/t5/network-security/block-internet-access-cisco-asa/m-p/3864222#M6100 <P>Thanks Jon;</P><P>May you please explain why it would be better?</P><P>it wouldn't block inside to DMZ?</P><P>&nbsp;</P><P>Thanks so much.</P> Wed, 29 May 2019 05:30:23 GMT https://community.cisco.com/t5/network-security/block-internet-access-cisco-asa/m-p/3864222#M6100 AliMahm00di 2019-05-29T05:30:23Z https://community.cisco.com/t5/network-security/block-internet-access-cisco-asa/m-p/3864278#M6102 <P>&nbsp;</P> <P>Sorry, didn't think about a DMZ <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp;</P> <P>&nbsp;</P> <P>I tend to apply acls closest to the source so the firewall does not need to process the packets any more than it has to so I would modify the acl and allow traffic from inside to the DMZ then deny to internet as you have done and apply to the inside interface.&nbsp;</P> <P>&nbsp;</P> <P>However you can do what you are proposing, there is nothing wrong with that.&nbsp;</P> <P>&nbsp;</P> <P>It comes down to personal preference a lot of the time.&nbsp;</P> <P>&nbsp;</P> <P>Jon</P> Wed, 29 May 2019 07:10:10 GMT https://community.cisco.com/t5/network-security/block-internet-access-cisco-asa/m-p/3864278#M6102 Jon Marshall 2019-05-29T07:10:10Z