03-14-2016 07:51 AM - edited 03-12-2019 12:29 AM
Hello,
Are there any possibilites to negate objects or groups on the Cisco ASA firewall?
E.g. I would like to make an object/group for all not private IP addresses (so a group for "Internet").
With this I could say that host A should only be able to access the Internet but no internal ressources.
On other firewall manufacturer you can work with negated groups, but on the ASA I only know the workaround like below.
I know that I could make a workaround and use the top-down principle. I can say:
rule 1: Host A is not allow to access the private networks
rule 2: Host A is allowed to access any (the rest - the Internet)
Thanks in advance
Best regards
Solved! Go to Solution.
04-09-2019 10:47 PM
Hi Josiane,
object-group network Internet
network-object object PUBLIC_RANGE_Internet_1
network-object object PUBLIC_RANGE_Internet_6
network-object object PUBLIC_RANGE_Internet_5
network-object object PUBLIC_RANGE_Internet_4
network-object object PUBLIC_RANGE_Internet_3
network-object object PUBLIC_RANGE_Internet_2
network-object object PUBLIC_RANGE_Internet_7
network-object object PUBLIC_RANGE_Internet_8
network-object object PUBLIC_RANGE_Internet_9
object network PUBLIC_RANGE_Internet_1
range 0.0.0.0 9.255.255.255
object network PUBLIC_RANGE_Internet_2
range 11.0.0.0 126.255.255.255
object network PUBLIC_RANGE_Internet_3
range 129.0.0.0 169.253.255.255
object network PUBLIC_RANGE_Internet_4
range 169.255.0.0 172.15.255.255
object network PUBLIC_RANGE_Internet_5
range 172.32.0.0 191.0.1.255
object network PUBLIC_RANGE_Internet_6
range 192.0.3.0 192.88.98.255
object network PUBLIC_RANGE_Internet_7
range 192.88.100.0 192.167.255.255
object network PUBLIC_RANGE_Internet_8
range 192.169.0.0 198.17.255.255
object network PUBLIC_RANGE_Internet_9
range 198.20.0.0 223.255.255.255
03-14-2016 08:29 AM
I have tried now an other workaround:
I made a group with all public IP ranges/addresses.
This seems to be working too, but I would appreciate if you have a solution with to negate objects/groups.
Thanks in advance
04-09-2019 04:55 AM
Hi @Kevin_W
You could share with me the way you tried to deny these groups, if you prefer, you can send them in private, so that I can test and tell you if it is possible.
Josiane de Barros
Twitter: SecureGirlNinja
03-16-2018 10:02 AM
It's hard to believe that this option isn't available for the ASA.
03-19-2018 03:41 AM
04-08-2019 11:42 AM
It's a year later for this thread, checking if the negate is now available in ASA?
I am migratign several CheckPoints to ASA 5525-X and the negate cell is pretty convenient.
I would keep it instead of the deny/accept option.
04-09-2019 05:47 AM
Hello everybody,
I have made a group object with following IP ranges inside:
0.0.0.0 - 9.255.255.255
11.0.0.0 126.255.255.255
129.0.0.0-169.253.255.255
172.32.0.0-191.0.1.255
192.0.3.0-192.88.98.255
192.88.100.0-192.167.255.255
192.169.0.0-198.17.255.255
198.20.0.0-223.255.255.255
So if you want to permit e.g. a client to access ONLY the internet and not any internal ressources, you can use this group for the permit rule.
04-09-2019 06:39 AM
Hi @Kevin_W
could share Show running-config. To understand how it is today.
Best Regards,
Josiane
Twitter: SecureGirlNinja
04-09-2019 10:47 PM
Hi Josiane,
object-group network Internet
network-object object PUBLIC_RANGE_Internet_1
network-object object PUBLIC_RANGE_Internet_6
network-object object PUBLIC_RANGE_Internet_5
network-object object PUBLIC_RANGE_Internet_4
network-object object PUBLIC_RANGE_Internet_3
network-object object PUBLIC_RANGE_Internet_2
network-object object PUBLIC_RANGE_Internet_7
network-object object PUBLIC_RANGE_Internet_8
network-object object PUBLIC_RANGE_Internet_9
object network PUBLIC_RANGE_Internet_1
range 0.0.0.0 9.255.255.255
object network PUBLIC_RANGE_Internet_2
range 11.0.0.0 126.255.255.255
object network PUBLIC_RANGE_Internet_3
range 129.0.0.0 169.253.255.255
object network PUBLIC_RANGE_Internet_4
range 169.255.0.0 172.15.255.255
object network PUBLIC_RANGE_Internet_5
range 172.32.0.0 191.0.1.255
object network PUBLIC_RANGE_Internet_6
range 192.0.3.0 192.88.98.255
object network PUBLIC_RANGE_Internet_7
range 192.88.100.0 192.167.255.255
object network PUBLIC_RANGE_Internet_8
range 192.169.0.0 198.17.255.255
object network PUBLIC_RANGE_Internet_9
range 198.20.0.0 223.255.255.255
04-10-2019 10:22 AM
Hi @Kevin_W
Attached is the photo of the configuration made in our firewall.
if my answer was helpful to you, check it out as helpful so others can be helped.
Best Regards
Josiane
Twitter :SecureGirlNinja
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide