block internet access Cisco asa
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-28-2019 01:14 PM - edited 02-21-2020 09:10 AM
Hello;
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-28-2019 02:15 PM
You would be better to apply the acl to the inside interface ie. -
access-group Restrictinsidenet in interface inside
Jon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-28-2019 10:29 PM - edited 05-28-2019 10:30 PM
Thanks Jon;
May you please explain why it would be better?
it wouldn't block inside to DMZ?
Thanks so much.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-29-2019 12:10 AM
Sorry, didn't think about a DMZ :)
I tend to apply acls closest to the source so the firewall does not need to process the packets any more than it has to so I would modify the acl and allow traffic from inside to the DMZ then deny to internet as you have done and apply to the inside interface.
However you can do what you are proposing, there is nothing wrong with that.
It comes down to personal preference a lot of the time.
Jon
