06-14-2016 08:57 AM - edited 03-12-2019 12:53 AM
Hello
I have a cisco asa 5510 and would like to block a public subnet.
Could some tell me how i can block a whole subnet with an access list.
Thanks
Jon
06-14-2016 09:03 AM
Hi Jon,
You can use the deny statement on the outside access-list applied in the out direction on the interface.
You can also use the shun command to deny the public IP subnet.
shun x.x.x.x netmask x.x.x.x
Regards,
Aditya
Please rate helpful posts and mark correct answers.
06-14-2016 09:20 AM
Not sure i understand.
Could you post a sample config of the access list.
Thanks
06-14-2016 09:28 AM
I am trying to block our inside users from being able to access Netflix.
I have all the subnet that Netflix owns and there ip space.
I plan to build and access list that will block all traffic from inside to outside interface.
06-14-2016 05:43 PM
Hi,
You need to apply the access-list on the inside interface as shown in this example:
Block the HTTP port traffic:
In order to block the inside network 10.1.1.0 from access to the
host 172.16.1.1 eq 80
Regards,
Aditya
Please rate helpful posts and mark correct answers.
06-18-2020 08:16 AM
I have tried this command on my ASA 5540, with 9.x IOS, and the following occurred:
ciscoasa5540(config)# shun 65.197.196.0 netmask 255.255.255.0
^
ERROR: % Invalid Hostname
ciscoasa5540(config)# shun 65.197.196.0 netmask 255.255.255.0
Can you please let me know how this is done correctly? Thank you very much!
06-14-2016 09:47 AM
create object group and include all netflix ip,=>deny (source any destination netflix-subnet service IP ) apply in your internal or DMZ interface depend on your traffic route
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: