Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3608
Views
0
Helpful
6
Replies

Block external subnet with asa

Jonathan Forbes
Level 1
Level 1

‎06-14-2016 08:57 AM - edited ‎03-12-2019 12:53 AM

Hello

I have a cisco asa 5510 and would like to block a public subnet.

Could some tell me how i can block a whole subnet with an access list. 

Thanks

Jon

Labels:
0 Helpful
6 Replies 6

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎06-14-2016 09:03 AM

Hi Jon,

You can use the deny statement on the outside access-list applied in the out direction on the interface.

You can also use the shun command to deny the public IP subnet.

shun x.x.x.x netmask x.x.x.x

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

Jonathan Forbes
Level 1
Level 1
In response to Aditya Ganjoo

‎06-14-2016 09:20 AM

Not sure i understand. 

Could you post a sample config of the access list. 

Thanks

0 Helpful

Jonathan Forbes
Level 1
Level 1
In response to Aditya Ganjoo

‎06-14-2016 09:28 AM

I am trying to block our inside users from being able to access Netflix. 

I have all the subnet that Netflix owns and there ip space. 

I plan to build and access list that will block all traffic from inside to outside interface. 

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Jonathan Forbes

‎06-14-2016 05:43 PM

Hi,

You need to apply the access-list on the inside interface as shown in this example:

Block the HTTP port traffic:

In order to block the inside network 10.1.1.0 from access to the http (web server) with IP 1.1.1.1 placed in the outside network, create an ACL as shown:


ciscoasa(config)#access-list 100 extended deny tcp 10.1.1.0 255.255.255.0
host 172.16.1.1 eq 80
ciscoasa(config)#access-list 100 extended permit ip any any
ciscoasa(config)#access-group 100 in interface inside

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

beatinger
Level 1
Level 1
In response to Aditya Ganjoo

‎06-18-2020 08:16 AM

I have tried this command on my ASA 5540, with 9.x IOS, and the following occurred:

 

ciscoasa5540(config)# shun 65.197.196.0 netmask 255.255.255.0
^
ERROR: % Invalid Hostname
ciscoasa5540(config)# shun 65.197.196.0 netmask 255.255.255.0

 

Can you please let me know how this is done correctly?  Thank you very much!

0 Helpful

Akbar ali Sultan
Level 1
Level 1

‎06-14-2016 09:47 AM

create object group and include all netflix ip,=>deny (source any destination netflix-subnet service IP )  apply in your internal or DMZ interface depend on your traffic route

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card