cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1899
Views
4
Helpful
4
Replies

deny all sites and allow only few network IPs in Cisco ASA 5505

kothalanka
Level 1
Level 1

Hi All,

Good Day!!

I am using Cisco ASA 5505 in our office and i want to deny all sites and allow only few networks.

Is it possible to do like this and by using policy map i cant block https traffic. if it possble to do please some send me configuration.

thanks in advance.

regards,

Naresh Kumar.

4 Replies 4

yfournad
Level 1
Level 1

Hi Naresh,

What do you mean when you say "sites" - websites or specific networks?

You could block or allow certain traffic based on protocols (http, https, ftp etc.), based on the source and destination ip/networks using Access Control Lists.

From your post I am not able to understand in details what exactly you would like to achieve.

Best regards!

Hi,

i just want to block all websites and i want to allow few network.

if i apply access-list to allow some networks and by default all other sites will be denied right ?

Please let me know if any other quires.

Hi Naresh,

You are correct, You can configure the access list to allow some of the IP address or subnets and rest of them will be denied by the firewall.

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

Hi Naresh,

Let's say you have 2 interfaces

1. inside - where your LAN lives (internal users)

2. outside - the interface towards the Internet

If you configure an access list like:

----------------------------------------------

access-list inside_in extended permit tcp x.x.x.x m.m.m.m y.y.y.y z.z.z.z eq bbb

access-group inside_in in interface inside

-----------------------------------------------

Where:

tcp - for tcp traffic

udp - udp traffic

x.x.x.x - ip address of the source (it could be a host, network or any. If you want to specify only a particular host you could put "host" before the IP address and then you do not need to specify subnet mask). These are the networks (hosts) which you would like to allow access from.

m.m.m.m - subnet mask of the source ip address

y.y.y.y - - ip address of the destination (it could be a host, network or any. If you want to specify only a particular host you could put "host" before the IP address and then you do not need to specify subnet mask) These are the networks (hosts) which you would like to allow access to.

bbb - allowed service/ports (for example 443, 80, 21 or whatever else you need) Besides "eq" you could specify range, grater than, less than...

Configuring this access-list on the inside interface only the traffic permitted by it would be allowed to pass. There is an implicit deny statement which is added automatically at the end of every access-list.

You could set many permit statements. Everything which is not permitted will be denied.

If you want to be aware of the hits of the access which blocks traffic you could put:

access-list inside_out extended deny ip any any log

More detailed information you could fine here:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/acl_overview.html#wp1077453

Best regards!

------------------------------------------

Please remember to select a correct answer and rate helpful posts

Review Cisco Networking for a $25 gift card