02-11-2018 06:49 PM - edited 02-21-2020 07:19 AM
Hi All,
I have an ASA 5540 which I want to block certain outside IPs say, 10.190.1.0/24 to access certain inside IP, say 10.199.10.5. Can I achieve this with an ACL? I can do it with the firewall at 10.199.10.5 but prefer for it to be all done inside the ASA.
TIA,
Vlad
Solved! Go to Solution.
02-11-2018 10:12 PM
I just realised there was a way to do this which is via routes. So basically, create a route for the outside interface to route specific IP addresses to 0.0.0.0.
02-11-2018 07:24 PM
Hi
First of all, to allow outside subnets (from internet?) To access inside, you have to Nat your inside host to a public ip to allow remote public hosts to find the route to access your network.
Once done, you can then add an ace into your outside acl to allow specific public subnet to access your internal host.
Is that explanation clear?
In terms of config example, let's say you will nat your host to public ip 1.1.1.1 and your outside acl is called outside_in
Object network InsideHost
host 10.199.10.5
nat (inside,outside) static 1.1.1.1
object group PublicAuthzInsideHost
subnet 10.190.1.0 255.255.255.0
access-list outside_in extended permit ip object PublicAuthzInsideHost object InsideHost
02-11-2018 09:45 PM
Hi Francesco,
Thank you for the reply but I do not want to use NAT and our IOS is 8.0 so no chance of adding the objects required. I have resorted to modifying the individual inside servers' firewalls to block the outside IP ranges.
Cheers,
Vlad
02-11-2018 10:12 PM
I just realised there was a way to do this which is via routes. So basically, create a route for the outside interface to route specific IP addresses to 0.0.0.0.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide