02-12-2021 05:58 AM
What is the proper ACL to block internet on one server using an ASA 5545 version 9.6(4) 20?
02-12-2021 06:11 AM
Not sure how your ASA configuration to suggest - based on the exiting config.
so please look below document using ASDM add ACL and test & advise.
02-12-2021 06:13 AM
Alternately, you could delete a default route on the server itself and only use specific routes.
HTH.
02-12-2021 06:22 AM - edited 02-12-2021 09:37 AM
What is the proper ACL to block internet on one server using an ASA 5545 version 9.6(4) 20?
EXAMPLE
!
interface gig1/5
nameif DMZ
sec 50
ip address 192.168.x.x 255.255.x.x
!
object-group network RFC1918 10.0.0.0 255.0.0.0 172.16.0.0 255.240.0.0 192.168.0.0 255.255.0.0
!
object network SERVER-DMZ
host 192.168.x.x ---THIS IS YOUR SERVER NEED STOP ACCESS TO INTERNET----
!
access-list DMZ_IN extended permit ip SERVER-DMZ object-group RFC1918
access-list DMZ_IN extended deny ip SERVER-DMZ any
!
access-group DMZ_IN in interface DMZ
02-12-2021 08:30 AM
I have a lot of other ACL's part of different interfaces, inside, outside, dmz and transit interfaces. I want to be sure this doesnt block anything from other devices in my network. Do I need to do anything so nothing else gets blocked ?
02-12-2021 08:50 AM - edited 02-12-2021 09:39 AM
Which interfere on this ASA this server belong to?
and what access list you have configured on this interface?
if you share the internet name of this sever and the first line of access list I can write the ACL for you.
example
!
access-list DMZ_IN inline 1 extended permit ip SERVER-DMZ object-group RFC1918
access-list DMZ_IN inline 2 extended deny ip SERVER-DMZ any
access-list DMZ_IN inline 3 extended permit ip xxx.xxx. xxx.xxxx
....................................................
.....................................................
!
access-group DMZ_IN in interface DMZ
02-12-2021 10:33 AM
The server should be behind the inside interface but i can't share the names of the servers
02-12-2021 08:55 AM
If you have too many ACL not able to post complete config, not confident enough where to add, best is use ASDM add Line below or above where required - test if not working easy from GUI to disable or ammend.
Since ASA generate lot of ACL command level, some time it hard to figure out where to insert this lines and as you mentioned this may cause other issue, so please use GUI is easy for simplicity.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: