Solved: Access-group command on ASA

mahesh18 · ‎10-25-2012

hi all,

Need to confirm if this is right way to use ACL to block specfic user from accessing www

Config 1

access-list BLOCK extended deny tcp host 192.168.1.1 any eq www log

access-group BLOCK in interface inside

Here IP 192.168.1.1 is used as source which is inside interface of ASA .

Now host PC 192.168.1.6 is not able to access internet but hit count does not increment stays at zero need to know why?

Config 2

When i use source IP of PC then user PC is still able to access the internet .

Thanks

Mahesh Parmar

Jennifer Halim · ‎10-25-2012

If you would like to block host 192.168.1.6 from accessing the web, then you would need to configure the following:

access-list BLOCK extended deny tcp host 192.168.1.6 any eq www log

access-list BLOCK extended permit ip any any

The second line is to ensure that everything else is permitted to go out to the internet. Because by default there is an implicit deny ip any any at the end of an access-list.

View solution in original post

Jennifer Halim · ‎10-25-2012

The reason why is normally DNS resolution happens first, before the user can access the internet.

Since you are not permitting udp any any, then the hitcount for denying the WWW still shows zero since it doesn't even get into that stage.

If you also include:

access-list BLOCK extended permit udp any any

Then you will see hitcount on the udp as well as the deny for that host on www.

View solution in original post

Jennifer Halim · ‎10-25-2012

If you would like to block host 192.168.1.6 from accessing the web, then you would need to configure the following:

access-list BLOCK extended deny tcp host 192.168.1.6 any eq www log

access-list BLOCK extended permit ip any any

The second line is to ensure that everything else is permitted to go out to the internet. Because by default there is an implicit deny ip any any at the end of an access-list.

mahesh18 · ‎10-25-2012

Hi Jennifer,

Thanks for reply so i do not need to use the access-group command then ?

Can you please tell then when we use access-group command in ASA ?

Mahesh

mahesh18 · ‎10-25-2012

Hi Jennifer,

I applied the following config

access-list BLOCK extended deny tcp host 192.168.1.7 any eq www log

access-list BLOCK extended permit tcp any any

access-group BLOCK out interface outside

Now user PC is unable to access www but when i do sh access-list i see hit counters stay at zero it does not increment

can you please tell why ?

Thanks

Mahesh

Jennifer Halim · ‎10-25-2012

The reason why is normally DNS resolution happens first, before the user can access the internet.

Since you are not permitting udp any any, then the hitcount for denying the WWW still shows zero since it doesn't even get into that stage.

If you also include:

access-list BLOCK extended permit udp any any

Then you will see hitcount on the udp as well as the deny for that host on www.

mahesh18 · ‎10-25-2012

Hi Jennifer,

I am new to ASA world but have to learn now as new job we have few ASAs.

It is very good that we have people like you in this forum who can answer the questions and we can understand the

concept better.

Thanks a lot.

Regards

Mahesh

Jennifer Halim · ‎10-25-2012

Thanks Mahesh. Good to hear that you have learnt through the forum.