Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
3473
Views
0
Helpful
3
Replies

block internet access Cisco asa

AliMahm00di
Level 1
Level 1

‎05-28-2019 01:14 PM - edited ‎02-21-2020 09:10 AM

Hello;

I'm new to IT security world and Cisco as well.
I want to block my inside network (servers) to access the outside world (internet) which is allowed by default in factory-default config of asa 5505.
It is how I get it done:
ciscoasa(config)# object network insidenet
ciscoasa(config-network-object)# subnet 192.168.1.0 255.255.255.0
ciscoasa(config-network-object)# exit
ciscoasa(config)# access-list Restrictinsidenet extended deny ip object insidenet any
ciscoasa(config)# access-g Restrictinsidenet out interface outside
 
is it ok?
I will appreciate sharing your ideas with me.
Thank you so much. Good luck.
BR/
0 Helpful
3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

‎05-28-2019 02:15 PM

 

You would be better to apply the acl to the inside interface ie. - 

 

access-group Restrictinsidenet in interface inside 

 

Jon

0 Helpful

AliMahm00di
Level 1
Level 1
In response to Jon Marshall

‎05-28-2019 10:29 PM - edited ‎05-28-2019 10:30 PM

Thanks Jon;

May you please explain why it would be better?

it wouldn't block inside to DMZ?

 

Thanks so much.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to AliMahm00di

‎05-29-2019 12:10 AM

 

Sorry, didn't think about a DMZ :) 

 

I tend to apply acls closest to the source so the firewall does not need to process the packets any more than it has to so I would modify the acl and allow traffic from inside to the DMZ then deny to internet as you have done and apply to the inside interface. 

 

However you can do what you are proposing, there is nothing wrong with that. 

 

It comes down to personal preference a lot of the time. 

 

Jon

0 Helpful
Review Cisco Networking for a $25 gift card
Top