09-13-2011 01:42 AM - edited 03-11-2019 02:23 PM
Hi
In firewall traffic flows from higher level to lower level by default.
If I apply access-list to deny particular traffic say 10.1.1.0 /24 network should not flow to lower interface level and apply access-list on inside interface.
Is that remaining network traffic say 192.168.1.0 /24 will also be blocked.
09-13-2011 01:46 AM
When you configure access-list to deny, you will also need to explicitly configure the allow for the remaining of the other networks that you would like to allow, because there is an implicit deny any any at the end of the access-list.
In your scenario, if you just want to block 10.1.1.0/24 network, then you can configure the following:
access-list inside-acl deny ip 10.1.1.0 255.255.255.0 any
access-list inside-acl permit ip any any
OR/ if you want to be more restrictive, you can also configure the following:
access-list inside-acl deny ip 10.1.1.0 255.255.255.0 any
access-list inside-acl permit ip 192.168.1.0 255.255.255.0 any
09-13-2011 02:30 AM
Thank you,
So same concept as on routers.
09-13-2011 03:15 AM
Yes, absolutely correct, same concept as access-list on routers.
Pls kindly mark the post as answered if you have no further question. Thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide