12-04-2015 06:09 AM - edited 03-11-2019 11:59 PM
Hi All,
Good Day!!
I am using Cisco ASA 5505 in our office and i want to deny all sites and allow only few networks.
Is it possible to do like this and by using policy map i cant block https traffic. if it possble to do please some send me configuration.
thanks in advance.
regards,
Naresh Kumar.
12-04-2015 06:59 AM
Hi Naresh,
You can block the http traffic using the ASA but you can not block the https traffic via asa 5505. Most of the websites which would like to block such as facebook, youtube etc uses https fo connection. For blocking https you need external devices.
Please refer
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100535-asa-8x-regex-config.html
Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts
12-04-2015 08:47 AM
Hi Shivapramod,
thanks for your reply and i have one more doubt please clear this also.
if i want to deny all the traffic using access-list and i want to allow only few network IPs using access-list, will it work or not ?
thanks
regards,
Naresh Kumar.
12-04-2015 09:13 AM
Hi Naresh,
Just use the permit statements in the access-list. Access-list itselfs adds one implicit 'deny all' statement entry at the end. So no need to configure deny all statement.
Hope it helps.
Regards,
Akshay Rastogi
Remember to rate helpful posts.
12-04-2015 10:14 PM
Hi ShivaPramod/ Akshay Rastogi,
Please give a sample templet and i will try to test my ASA.
thanks for your support,
Regards,
Naresh Kumar.
12-05-2015 12:20 AM
Hi Naresh,
Please use the link below :
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/acl_extended.html
Above is for version pre 8.3. If the version is post 8.3 and then use the Real IP address of your network instead of NATTed IP in the destination field due to syntax and processing change.
Hope it helps.
Regards,
Akshay Rastogi
Remember to rate helpful posts.
12-10-2015 12:45 AM
Hi,
Please send me sample configuration because i am a bit confused.
thanks & regards,
Naresh Kumar
12-10-2015 11:14 AM
Hi Naresh,
You could use the statement like below : Assume that you need to allow source subnet 12.12.12.x on outside interface with destination ip 24.24.24.42(real ip is 10.1.1.1)
if version is 8.2 :
access-list out_in permit tcp 12.12.12.x 255.255.255.0 host 24.24.24.42
access-group out_in in interface outside <-- This is to apply acl on interface
if version post 8.3 :
access-list out_in permit tcp 12.12.12.x 255.255.255.0 host 10.1.1.1
access-group out_in in interface outside
In version post 8.3, we use real ip instead of natted ip
After this command, ASA automatically adds deny any any statement at the end.
Hope it helps.
Regards,
Akshay Rastogi
Remember to rate helpful posts.
12-04-2015 09:13 AM
Hi Naresh,
This is possible. You can create permit access list and allow the traffic which you would like to allow it through the firewall and other traffic should be dropped by the firewall due to implicit deny.
Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts
05-15-2023 10:34 PM
Hi Shivapramod,
Does this also apply to ASA5515-K9 series devices?
Regards.
Ringgani Saskita
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide