Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13195
Views
0
Helpful
6
Replies

Blocking a IP address on ASA

Go to solution
mahesh18
Level 6
Level 6

‎04-18-2013 09:08 AM - edited ‎03-11-2019 06:31 PM

                   Hi Everyone,

Need to block all connections going to particular IP address on the internet.

Also we do not want any connection coming from that IP to our ASA.

Need to know which interface should i apply  the ACL?

Outside interface of ASA?

Thanks

MAhesh

1 person had this problem
Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
lcambron
Level 3
Level 3

‎04-18-2013 09:23 AM

Hello Mahesh,

If you want to block traffic to that IP from any interface, then you can apply it on the outside interface outbound direction:

access-list name deny ip any host x.x.x.x

access-list name permit ip any any

access-group name out interface outside

Regards,

Felipe.

View solution in original post

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to mahesh18

‎04-18-2013 09:38 AM

Hello Mahesh,

If i need to block traffic coming from that IP  to ASA  then i can apply it to outside interface but in inside direction?

Exactly, inbound direction

So when we apply ACL  to outside interface of ASA  how does it block all other interfaces also?

Because you will not only block traffic TO the box but also traffic through the box to another devices on other interfaces, this will be block as long as it needs to go via the outside

interface

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to mahesh18

‎04-18-2013 09:39 AM

Just to add

If traffic to the box is via SSH, Telnet or ASDM you could block it with each of those command sets configuration, no need for an ACL for that traffic,

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
6 Replies 6

Go to solution
lcambron
Level 3
Level 3

‎04-18-2013 09:23 AM

Hello Mahesh,

If you want to block traffic to that IP from any interface, then you can apply it on the outside interface outbound direction:

access-list name deny ip any host x.x.x.x

access-list name permit ip any any

access-group name out interface outside

Regards,

Felipe.

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to lcambron

‎04-18-2013 09:27 AM

Hi Felipe,

If i need to block traffic coming from that IP  to ASA  then i can apply it to outside interface but in inside direction?

So when we apply ACL  to outside interface of ASA  how does it block all other interfaces also?

Thanks

MAhesh

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to mahesh18

‎04-18-2013 09:38 AM

Hello Mahesh,

If i need to block traffic coming from that IP  to ASA  then i can apply it to outside interface but in inside direction?

Exactly, inbound direction

So when we apply ACL  to outside interface of ASA  how does it block all other interfaces also?

Because you will not only block traffic TO the box but also traffic through the box to another devices on other interfaces, this will be block as long as it needs to go via the outside

interface

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to mahesh18

‎04-18-2013 09:39 AM

Just to add

If traffic to the box is via SSH, Telnet or ASDM you could block it with each of those command sets configuration, no need for an ACL for that traffic,

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Julio Carvajal

‎04-18-2013 10:14 AM

Hi Julio,

Many thanks again for explaining.

ASA  is very interesting.

Regards

MAhesh

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to mahesh18

‎04-18-2013 10:16 AM

Hello Mahesh,

My pleasure

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card