Re: Hi Naresh,

kothalanka · ‎12-04-2015

Hi All,

Good Day!!

I am using Cisco ASA 5505 in our office and i want to deny all sites and allow only few networks.

Is it possible to do like this and by using policy map i cant block https traffic. if it possble to do please some send me configuration.

thanks in advance.

regards,

Naresh Kumar.

Shivapramod M · ‎12-04-2015

Hi Naresh,

You can block the http traffic using the ASA but you can not block the https traffic via asa 5505. Most of the websites which would like to block such as facebook, youtube etc uses https fo connection. For blocking https you need external devices.

Please refer

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100535-asa-8x-regex-config.html

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

kothalanka · ‎12-04-2015

Hi Shivapramod,

thanks for your reply and i have one more doubt please clear this also.

if i want to deny all the traffic using access-list and i want to allow only few network IPs using access-list, will it work or not ?

thanks

regards,

Naresh Kumar.

Akshay Rastogi · ‎12-04-2015

Hi Naresh,

Just use the permit statements in the access-list. Access-list itselfs adds one implicit 'deny all' statement entry at the end. So no need to configure deny all statement.

Hope it helps.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

kothalanka · ‎12-04-2015

Hi ShivaPramod/ Akshay Rastogi,

Please give a sample templet and i will try to test my ASA.

thanks for your support,

Regards,

Naresh Kumar.

Akshay Rastogi · ‎12-05-2015

Hi Naresh,

Please use the link below :

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/acl_extended.html

Above is for version pre 8.3. If the version is post 8.3 and then use the Real IP address of your network instead of NATTed IP in the destination field due to syntax and processing change.

Hope it helps.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

kothalanka · ‎12-10-2015

Hi,

Please send me sample configuration because i am a bit confused.

thanks & regards,

Naresh Kumar

Akshay Rastogi · ‎12-10-2015

Hi Naresh,

You could use the statement like below : Assume that you need to allow source subnet 12.12.12.x on outside interface with destination ip 24.24.24.42(real ip is 10.1.1.1)

if version is 8.2 :

access-list out_in permit tcp 12.12.12.x 255.255.255.0 host 24.24.24.42

access-group out_in in interface outside <-- This is to apply acl on interface

if version post 8.3 :

access-list out_in permit tcp 12.12.12.x 255.255.255.0 host 10.1.1.1

access-group out_in in interface outside

In version post 8.3, we use real ip instead of natted ip

After this command, ASA automatically adds deny any any statement at the end.

Hope it helps.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

Shivapramod M · ‎12-04-2015

Hi Naresh,

This is possible. You can create permit access list and allow the traffic which you would like to allow it through the firewall and other traffic should be dropped by the firewall due to implicit deny.

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

Ringgani Saskita · ‎05-15-2023

Hi Shivapramod,
Does this also apply to ASA5515-K9 series devices?

Regards.
Ringgani Saskita

deny all sites and allow only few network IPs in Cisco ASA 5505