ASA 5520 can't block incomming traffic

Nikolay Savin · ‎12-13-2012

I was configure 3 interface on ASA

1st - managemetn (only for management)

2nd - gig0/0 is connected to internet with real IP

3rd - gig0/1 is connected to local network

I was configure routed NAT to internet.

But I have problem with restriction incomming traffic to inside interface (ifname is inside)

I was create access lists

access-list INSIDE_IN extended permit ip object-group ADMIN any

access-list INSIDE_IN extended deny ip any any

And link access list to inside interface by rule

access-group INSIDE_IN in interface inside

but I can connect to ip address of inside interface from other ip. It is wrong and i can't understand where is my mistake.

Please help me anybody.

Jennifer Halim · ‎12-13-2012

Do you try to limit access to the ASA inside interface itself just from a specific IP Address?

How are you trying to access the inside interface? SSH? HTTP? Ping?

Access-list applied to the inside interface is configured for traffic going through the firewall, eg: from inside network to internet, not for traffic towards the ASA interface.

If you are trying to limit access to the ASA interface itself, then you should be using the ssh, http, or icmp command to only allow access to specific IP.

Nikolay Savin · ‎12-13-2012

Now all is clear.

I has been doubt in the question how access-lists is working with traffic going towards the ASA interface.

Thank You for responce