cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


1254
Views
5
Helpful
9
Replies
Beginner

Cisco ASA - Negate Firewall Objects/Groups/Rules

Hello,

Are there any possibilites to negate objects or groups on the Cisco ASA firewall?
E.g. I would like to make an object/group for all not private IP addresses (so a group for "Internet").
With this I could say that host A should only be able to access the Internet but no internal ressources.

On other firewall manufacturer you can work with negated groups, but on the ASA I only know the workaround like below.

I know that I could make a workaround and use the top-down principle. I can say:
rule 1: Host A is not allow to access the private networks
rule 2: Host A is allowed to access any (the rest - the Internet)



Thanks in advance

Best regards

1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Re: Cisco ASA - Negate Firewall Objects/Groups/Rules

Hi Josiane,

 

object-group network Internet
network-object object PUBLIC_RANGE_Internet_1
network-object object PUBLIC_RANGE_Internet_6
network-object object PUBLIC_RANGE_Internet_5
network-object object PUBLIC_RANGE_Internet_4
network-object object PUBLIC_RANGE_Internet_3
network-object object PUBLIC_RANGE_Internet_2
network-object object PUBLIC_RANGE_Internet_7
network-object object PUBLIC_RANGE_Internet_8
network-object object PUBLIC_RANGE_Internet_9

object network PUBLIC_RANGE_Internet_1
range 0.0.0.0 9.255.255.255
object network PUBLIC_RANGE_Internet_2
range 11.0.0.0 126.255.255.255
object network PUBLIC_RANGE_Internet_3
range 129.0.0.0 169.253.255.255
object network PUBLIC_RANGE_Internet_4
range 169.255.0.0 172.15.255.255
object network PUBLIC_RANGE_Internet_5
range 172.32.0.0 191.0.1.255
object network PUBLIC_RANGE_Internet_6
range 192.0.3.0 192.88.98.255
object network PUBLIC_RANGE_Internet_7
range 192.88.100.0 192.167.255.255
object network PUBLIC_RANGE_Internet_8
range 192.169.0.0 198.17.255.255
object network PUBLIC_RANGE_Internet_9
range 198.20.0.0 223.255.255.255

View solution in original post

9 REPLIES 9
Beginner

I have tried now an other

I have tried now an other workaround:
I made a group with all public IP ranges/addresses.

This seems to be working too, but I would appreciate if you have a solution with to negate objects/groups.


Thanks in advance

Highlighted

Re: I have tried now an other

Hi @Kevin_W 

You could share with me the way you tried to deny these groups, if you prefer, you can send them in private, so that I can test and tell you if it is possible.

 

Josiane de Barros 

Twitter: SecureGirlNinja

Beginner

Re: Cisco ASA - Negate Firewall Objects/Groups/Rules

It's hard to believe that this option isn't available for the ASA.

Frequent Contributor

Re: Cisco ASA - Negate Firewall Objects/Groups/Rules

I ll just bump this thread. I am also interested in this feature especially after working many years with Checkpoint FWs.
Beginner

Re: Cisco ASA - Negate Firewall Objects/Groups/Rules

It's a year later for this thread, checking if the negate is now available in ASA?

I am migratign several CheckPoints to ASA 5525-X and the negate cell is pretty convenient.

I would keep it instead of the deny/accept option.

Beginner

Re: Cisco ASA - Negate Firewall Objects/Groups/Rules

Hello everybody,

I have made a group object with following IP ranges inside:

0.0.0.0 - 9.255.255.255

11.0.0.0 126.255.255.255

129.0.0.0-169.253.255.255

172.32.0.0-191.0.1.255

192.0.3.0-192.88.98.255

192.88.100.0-192.167.255.255

192.169.0.0-198.17.255.255

198.20.0.0-223.255.255.255

 

So if you want to permit e.g. a client to access ONLY the internet and not any internal ressources, you can use this group for the permit rule.

 

Re: Cisco ASA - Negate Firewall Objects/Groups/Rules

Hi @Kevin_W 

 

could share Show running-config. To understand how it is today.

Best Regards,

Josiane

Twitter: SecureGirlNinja

 

Beginner

Re: Cisco ASA - Negate Firewall Objects/Groups/Rules

Hi Josiane,

 

object-group network Internet
network-object object PUBLIC_RANGE_Internet_1
network-object object PUBLIC_RANGE_Internet_6
network-object object PUBLIC_RANGE_Internet_5
network-object object PUBLIC_RANGE_Internet_4
network-object object PUBLIC_RANGE_Internet_3
network-object object PUBLIC_RANGE_Internet_2
network-object object PUBLIC_RANGE_Internet_7
network-object object PUBLIC_RANGE_Internet_8
network-object object PUBLIC_RANGE_Internet_9

object network PUBLIC_RANGE_Internet_1
range 0.0.0.0 9.255.255.255
object network PUBLIC_RANGE_Internet_2
range 11.0.0.0 126.255.255.255
object network PUBLIC_RANGE_Internet_3
range 129.0.0.0 169.253.255.255
object network PUBLIC_RANGE_Internet_4
range 169.255.0.0 172.15.255.255
object network PUBLIC_RANGE_Internet_5
range 172.32.0.0 191.0.1.255
object network PUBLIC_RANGE_Internet_6
range 192.0.3.0 192.88.98.255
object network PUBLIC_RANGE_Internet_7
range 192.88.100.0 192.167.255.255
object network PUBLIC_RANGE_Internet_8
range 192.169.0.0 198.17.255.255
object network PUBLIC_RANGE_Internet_9
range 198.20.0.0 223.255.255.255

View solution in original post

Re: Cisco ASA - Negate Firewall Objects/Groups/Rules

Hi @Kevin_W 


Attached is the photo of the configuration made in our firewall.


if my answer was helpful to you, check it out as helpful so others can be helped.

 

Best Regards 

 

Josiane 

Twitter :SecureGirlNinja