03-15-2016 09:52 PM - edited 03-12-2019 12:29 AM
Hi,
Please help me to understand how the acl works on asa code 9.x
If i want to block a host (172.16.10.250) from dmz zone to outside (internet access ) and rest of the network should access .How can i do that ?
Which acl from below (1,2,3 &4 ) will do that ?
Is it possible i can do it in Outside_acl (2,3,&4 )
Dmz host
172.16.10.250
object network Obj-172.16.10.250
host 172.16.10.250
access-group Outside_acl in interface Outside
access-group DMZ_acl in interface DMZ
1)
access-list DMZ_acl extended deny ip host 172.16.10.250 interface Outside
access-list DMZ_acl extended permit ip any any
access-list DMZ_acl extended deny ip any any
2)
access-list Outside_acl extended deny ip any host 172.16.10.250
3)
access-list Outside_acl extended deny ip host 172.16.10.250 any
4)
access-list Outside_acl extended deny ip any object Obj-172.16.10.250
Please help
Thanks
03-15-2016 11:30 PM
Hi,
ACL's on the 9.x code work the same as they used to work on the
You would need the option 1 to deny access to
You do not need the keyword outside interface on the ACL.
access-list DMZ_acl extended deny
access-list DMZ_acl extended permit
access-list DMZ_acl extended deny
Also no need to add deny
You can use a packet-tracer command to validate the rules.
packet-tracer input
You should see ACL denying the traffic.
Regards
Aditya
Please rate helpful posts.
03-15-2016 11:48 PM
Thanks Adithya,
" access-list DMZ_acl extended deny ip host 172.16.10.250 any"
if I put any instead of outside interface , the host wont be able to communicate inside zone also
correct me if i am wrong
Thanks
03-15-2016 11:53 PM
Hi,
Regards,
Aditya
Please rate helpful posts and mark correct answers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide