Solved: Deny connection from specific ouside IP to specific inside IP

vladimirguan · ‎02-11-2018

Hi All,

I have an ASA 5540 which I want to block certain outside IPs say, 10.190.1.0/24 to access certain inside IP, say 10.199.10.5. Can I achieve this with an ACL? I can do it with the firewall at 10.199.10.5 but prefer for it to be all done inside the ASA.

TIA,

Vlad

vladimirguan · ‎02-11-2018

I just realised there was a way to do this which is via routes. So basically, create a route for the outside interface to route specific IP addresses to 0.0.0.0.

View solution in original post

Francesco Molino · ‎02-11-2018

Hi

First of all, to allow outside subnets (from internet?) To access inside, you have to Nat your inside host to a public ip to allow remote public hosts to find the route to access your network.

Once done, you can then add an ace into your outside acl to allow specific public subnet to access your internal host.

Is that explanation clear?

In terms of config example, let's say you will nat your host to public ip 1.1.1.1 and your outside acl is called outside_in

Object network InsideHost

host 10.199.10.5

nat (inside,outside) static 1.1.1.1

object group PublicAuthzInsideHost

subnet 10.190.1.0 255.255.255.0

access-list outside_in extended permit ip object PublicAuthzInsideHost object InsideHost

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

vladimirguan · ‎02-11-2018

Hi Francesco,

Thank you for the reply but I do not want to use NAT and our IOS is 8.0 so no chance of adding the objects required. I have resorted to modifying the individual inside servers' firewalls to block the outside IP ranges.

Cheers,

Vlad

vladimirguan · ‎02-11-2018

I just realised there was a way to do this which is via routes. So basically, create a route for the outside interface to route specific IP addresses to 0.0.0.0.