ACCESS RULE IN ASA 5510

suhas_syndrome · ‎10-15-2012

Hi Experts,

Please find the Network digram below. i want to deny internet access for some host in my network & other host should be access email ony what acces rule should be apply in ASA 5510.

Harish Balakrishnan · ‎10-15-2012

Hello Suhas,

You can probably use the below ACL

access-list inside_access_in extended deny ip host 192.168.0.6 any
access-list inside_access_in extended deny ip host 192.168.0.9 any
access-list inside_access_in extended permit tcp host 192.168.0.8 host eq https
access-list inside_access_in extended permit tcp host 192.168.0.8 host eq http
access-list inside_access_in extended permit udp host 192.168.0.8 host eq 53
access-list inside_access_in extended deny ip host 192.168.0.8 any
access-list inside_access_in extended permit IP 192.168.0.0 255.255.255.0 any

access-group in inside_access_in in interface inside

suhas_syndrome · ‎10-15-2012

Hi Harish,

But some time which host has allow Internet access not able to browse Internet. why it is happed is there any issue in dynamic NAT....

Julio Carvajal · ‎10-15-2012

Hello Suhas,

With the configuration Harish provided you the host 192.168.0.8 should be able to browse to the internet at any time.

Now if this stops working perform the following:

1) Ping the ASA from the PC

2) Ping 4.2.2.2 from the PC

3) Ping 4.2.2.2 from the ASA

Let us know the results.

Any other question..Sure..Just remember to rate all of my answers.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

suhas_syndrome · ‎10-15-2012

Hi Julio,

I can ping ASA from HOST & that all IP which you gave me, i also pin 8.8.8.8 but not able to browse internet it happend some time not regular.

suhas..

Julio Carvajal · ‎10-16-2012

Hello Suhas,

Okay, but when you start it to have issues where you able to ping 8.8.8.8 from the ASA?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC