cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
4376
Views
5
Helpful
9
Replies

Cisco ASA - Negate Firewall Objects/Groups/Rules

Kevin_W
Level 1
Level 1

Hello,

Are there any possibilites to negate objects or groups on the Cisco ASA firewall?
E.g. I would like to make an object/group for all not private IP addresses (so a group for "Internet").
With this I could say that host A should only be able to access the Internet but no internal ressources.

On other firewall manufacturer you can work with negated groups, but on the ASA I only know the workaround like below.

I know that I could make a workaround and use the top-down principle. I can say:
rule 1: Host A is not allow to access the private networks
rule 2: Host A is allowed to access any (the rest - the Internet)



Thanks in advance

Best regards

1 Accepted Solution

Accepted Solutions

Hi Josiane,

 

object-group network Internet
network-object object PUBLIC_RANGE_Internet_1
network-object object PUBLIC_RANGE_Internet_6
network-object object PUBLIC_RANGE_Internet_5
network-object object PUBLIC_RANGE_Internet_4
network-object object PUBLIC_RANGE_Internet_3
network-object object PUBLIC_RANGE_Internet_2
network-object object PUBLIC_RANGE_Internet_7
network-object object PUBLIC_RANGE_Internet_8
network-object object PUBLIC_RANGE_Internet_9

object network PUBLIC_RANGE_Internet_1
range 0.0.0.0 9.255.255.255
object network PUBLIC_RANGE_Internet_2
range 11.0.0.0 126.255.255.255
object network PUBLIC_RANGE_Internet_3
range 129.0.0.0 169.253.255.255
object network PUBLIC_RANGE_Internet_4
range 169.255.0.0 172.15.255.255
object network PUBLIC_RANGE_Internet_5
range 172.32.0.0 191.0.1.255
object network PUBLIC_RANGE_Internet_6
range 192.0.3.0 192.88.98.255
object network PUBLIC_RANGE_Internet_7
range 192.88.100.0 192.167.255.255
object network PUBLIC_RANGE_Internet_8
range 192.169.0.0 198.17.255.255
object network PUBLIC_RANGE_Internet_9
range 198.20.0.0 223.255.255.255

View solution in original post

9 Replies 9

Kevin_W
Level 1
Level 1

I have tried now an other workaround:
I made a group with all public IP ranges/addresses.

This seems to be working too, but I would appreciate if you have a solution with to negate objects/groups.


Thanks in advance

Hi @Kevin_W 

You could share with me the way you tried to deny these groups, if you prefer, you can send them in private, so that I can test and tell you if it is possible.

 

Josiane de Barros 

Twitter: SecureGirlNinja

KwameB876
Level 1
Level 1

It's hard to believe that this option isn't available for the ASA.

I ll just bump this thread. I am also interested in this feature especially after working many years with Checkpoint FWs.

It's a year later for this thread, checking if the negate is now available in ASA?

I am migratign several CheckPoints to ASA 5525-X and the negate cell is pretty convenient.

I would keep it instead of the deny/accept option.

Hello everybody,

I have made a group object with following IP ranges inside:

0.0.0.0 - 9.255.255.255

11.0.0.0 126.255.255.255

129.0.0.0-169.253.255.255

172.32.0.0-191.0.1.255

192.0.3.0-192.88.98.255

192.88.100.0-192.167.255.255

192.169.0.0-198.17.255.255

198.20.0.0-223.255.255.255

 

So if you want to permit e.g. a client to access ONLY the internet and not any internal ressources, you can use this group for the permit rule.

 

Hi @Kevin_W 

 

could share Show running-config. To understand how it is today.

Best Regards,

Josiane

Twitter: SecureGirlNinja

 

Hi Josiane,

 

object-group network Internet
network-object object PUBLIC_RANGE_Internet_1
network-object object PUBLIC_RANGE_Internet_6
network-object object PUBLIC_RANGE_Internet_5
network-object object PUBLIC_RANGE_Internet_4
network-object object PUBLIC_RANGE_Internet_3
network-object object PUBLIC_RANGE_Internet_2
network-object object PUBLIC_RANGE_Internet_7
network-object object PUBLIC_RANGE_Internet_8
network-object object PUBLIC_RANGE_Internet_9

object network PUBLIC_RANGE_Internet_1
range 0.0.0.0 9.255.255.255
object network PUBLIC_RANGE_Internet_2
range 11.0.0.0 126.255.255.255
object network PUBLIC_RANGE_Internet_3
range 129.0.0.0 169.253.255.255
object network PUBLIC_RANGE_Internet_4
range 169.255.0.0 172.15.255.255
object network PUBLIC_RANGE_Internet_5
range 172.32.0.0 191.0.1.255
object network PUBLIC_RANGE_Internet_6
range 192.0.3.0 192.88.98.255
object network PUBLIC_RANGE_Internet_7
range 192.88.100.0 192.167.255.255
object network PUBLIC_RANGE_Internet_8
range 192.169.0.0 198.17.255.255
object network PUBLIC_RANGE_Internet_9
range 198.20.0.0 223.255.255.255

Hi @Kevin_W 


Attached is the photo of the configuration made in our firewall.


if my answer was helpful to you, check it out as helpful so others can be helped.

 

Best Regards 

 

Josiane 

Twitter :SecureGirlNinja

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: