acl on asa

elite2010 · ‎03-15-2016

Hi,

Please help me to understand how the acl works on asa code 9.x

If i want to block a host (172.16.10.250) from dmz zone to outside (internet access ) and rest of the network should access .How can i do that ?

Which acl from below (1,2,3 &4 ) will do that ?

Is it possible i can do it in Outside_acl (2,3,&4 )

Dmz host

172.16.10.250

object network Obj-172.16.10.250

host 172.16.10.250

access-group Outside_acl in interface Outside

access-group DMZ_acl in interface DMZ

1)

access-list DMZ_acl extended deny ip host 172.16.10.250 interface Outside

access-list DMZ_acl extended permit ip any any

access-list DMZ_acl extended deny ip any any

2)

access-list Outside_acl extended deny ip any host 172.16.10.250

3)

access-list Outside_acl extended deny ip host 172.16.10.250 any

4)

access-list Outside_acl extended deny ip any object Obj-172.16.10.250

Please help

Thanks

Aditya Ganjoo · ‎03-15-2016

Hi,

ACL's on the 9.x code work the same as they used to work on the prevous codes.

You would need the option 1 to deny access to internet.

You do not need the keyword outside interface on the ACL.

access-list DMZ_acl extended deny ip host 172.16.10.250 any

access-list DMZ_acl extended permit ip any any

access-list DMZ_acl extended deny ip any any

Also no need to add deny ip any any as you are already permitting ip any any in the line above it.

You can use a packet-tracer command to validate the rules.

packet-tracer input dmz icmp 172.16.10.250 8 0 4.2.2.2 detailed

You should see ACL denying the traffic.

Regards

Aditya

Please rate helpful posts.

elite2010 · ‎03-15-2016

Thanks Adithya,

" access-list DMZ_acl extended deny ip host 172.16.10.250 any"

if I put any instead of outside interface , the host wont be able to communicate inside zone also

correct me if i am wrong

Thanks

Aditya Ganjoo · ‎03-15-2016

Hi,

Yes you are correct.

Regards,

Aditya

Please rate helpful posts and mark correct answers.