Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2267
Views
5
Helpful
7
Replies

Block internet on one device

Eddie Sardinha
Level 1
Level 1

‎02-12-2021 05:58 AM

What is the proper ACL to block internet on one server using an ASA 5545 version 9.6(4) 20?

0 Helpful
7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

‎02-12-2021 06:11 AM

Not sure how your ASA configuration to suggest - based on the exiting config.

 

so please look below document using ASDM add ACL and test & advise.

 

https://www.petenetlive.com/KB/Article/0000743

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

rais
Level 7
Level 7

‎02-12-2021 06:13 AM

Alternately, you could delete a default route on the server itself and only use specific routes.

HTH.

0 Helpful

Sheraz.Salim
VIP
VIP

‎02-12-2021 06:22 AM - edited ‎02-12-2021 09:37 AM

What is the proper ACL to block internet on one server using an ASA 5545 version 9.6(4) 20?

 

EXAMPLE

!

interface gig1/5
 nameif DMZ
 sec 50
 ip address 192.168.x.x 255.255.x.x
!
object-group network RFC1918
 10.0.0.0 255.0.0.0
 172.16.0.0 255.240.0.0
 192.168.0.0 255.255.0.0
!
object network SERVER-DMZ
 host 192.168.x.x   ---THIS IS YOUR SERVER NEED STOP ACCESS TO INTERNET----

!

access-list DMZ_IN extended permit ip SERVER-DMZ object-group RFC1918
access-list DMZ_IN extended deny ip SERVER-DMZ any
!
access-group DMZ_IN in interface DMZ

 

 

 

please do not forget to rate.

Eddie Sardinha
Level 1
Level 1
In response to Sheraz.Salim

‎02-12-2021 08:30 AM

I have a lot of other ACL's part of different interfaces, inside, outside, dmz and transit interfaces.   I want to be sure this doesnt block anything from other devices in my network.  Do I need to do anything so nothing else gets blocked ?

0 Helpful

Sheraz.Salim
VIP
VIP
In response to Eddie Sardinha

‎02-12-2021 08:50 AM - edited ‎02-12-2021 09:39 AM

Which interfere on this ASA this server belong to? 
and what access list you have configured on this interface?

 

if you share the internet name of this sever and the first line of access list I can write the ACL for you.

 

example

!

 

access-list DMZ_IN inline 1 extended  permit ip SERVER-DMZ object-group RFC1918
access-list DMZ_IN inline 2 extended deny ip SERVER-DMZ any
access-list DMZ_IN inline 3 extended permit ip xxx.xxx. xxx.xxxx
....................................................
.....................................................
!
access-group DMZ_IN in interface DMZ

 

please do not forget to rate.
0 Helpful

Eddie Sardinha
Level 1
Level 1
In response to Sheraz.Salim

‎02-12-2021 10:33 AM

The server should be behind the inside interface but i can't share the names of the servers 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Eddie Sardinha

‎02-12-2021 08:55 AM

If you have too many ACL not able to post complete config, not confident enough where to add, best is use ASDM  add Line below or above where required - test if not working easy from GUI to disable or ammend.

 

Since ASA generate lot of ACL command level, some time it hard to figure out where to insert this lines and as you mentioned this may cause other issue, so please use GUI is easy for simplicity.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card