Re: Deny inside address internet (outside interface)

Matt Roberts · ‎06-14-2013

I've got an IP address range (172.20.17.x) on the inside interface that I want to deny internet access to. I created a deny statement for the subnet and put the destination as outside interface but nothing is being blocked, they can still access internet. Is this becuase 172.20.17.x is being nated?

Jouni Forss · ‎06-14-2013

Hi,

That wont work. The configuration basicly only blocks traffic towards your ASAs "outside" IP address and nothing else. And no connections can be made to the "outside" IP address from behind some LAN interface of the ASA anyway. (even without the ACL statement)

You will need to do the following things

In the interface ACL where this network is located, first make sure you ALLOW traffic to any LOCAL networks you need to access from that network. (If they are located behind some other interface of the ASA. If there is only LAN and WAN interfaces then the traffic between different LAN networks probably wont even show up on the ASA)
Then block traffic with "deny ip 172.20.17.0 255.255.255.0 any"

If you dont first ALLOW the traffic before the DENY statement then you will essentially block any traffic through the firewall from that source network.

To use a very simply example

You have interface called "inside", "dmz" and "guest" (and naturally "outside")
They have networks 172.20.17.0/24 (inside), 192.168.17.0/24 (dmz) and 10.10.17.0/24 (guest)
We presume you already have an ACL called INSIDE-IN controlling traffic on the interface where the source network is

object-group network INSIDE-ALLOWED-NETWORKS

network-object 192.168.17.0 255.255.255.0

network-object 10.10.17.0 255.255.255.0

access-list INSIDE-IN line 1 remark Allow traffic from 172.20.17.0/24 to Local LAN networks

access-list INSIDE-IN line 2 permit ip 172.20.17.0 255.255.255.0 object-group INSIDE-ALLOWED-NETWORKS

access-list INSIDE-IN line 3 remark Deny traffic from 172.20.17.0/24 to any other networks

access-list INSIDE-IN line 4 deny ip 172.20.17.0 255.255.255.0 any

Hope this helps

If it answered your question please mark the reply as the correct answer.

Otherwise ask more if needed

- Jouni

Matt Roberts · ‎06-14-2013

This is how I have it setup. I have lots of permit statements on my inside interface. Now I just want to deny range 172.20.17.x from accessing the internet. What am I missing. Can this not be done?

Jouni Forss · ‎06-14-2013

Hi,

As I said, you will first need to make sure you permit the local traffic in the ACL if needed. And then you configure a statement which denies traffic from that source network towards "any" destination and it should be fine.

If you have configured a deny rule and traffic isnt blocked then you have configure the deny rule AFTER the permit rules and it will never be hit.

Though naturally as we cant see the exact interface ACL you are using I cant say for sure what the situation is at the moment.

Are you using a proxy for web traffic?

- Jouni

Matt Roberts · ‎06-14-2013

Here is the deny statment on the interface, it is the first entry on the ACL.

access-list inside_access_in extended deny tcp object CAD_No-Internet interface outside object-group DM_INLINE_TCP_5

Jouni Forss · ‎06-14-2013

Hi,

As you can see it doesnt match what I suggest.

Your ACL destination is still the IP address of the "outside" interface.

That IP address is not the target of ANY Internet traffic.

The destination needs to be "any" not "interface outside". The "interface outside" doesnt mean traffic destined to "outside" but traffic destined to the single IP address that is configured on your "outside" interface.

If you have other interfaces than "inside" and "outside" then you will have to make sure you allow traffic to those networks before you configure the deny statement with the "any" destination. That is what I gave an example in the first reply

Hope this helps

- Jouni

Matt Roberts · ‎06-14-2013

Ok I see now. If I change it to deny destination any does that include its own interface? I need the 172.20.14.x range to still be able to access networks on the inside interface.

Jouni Forss · ‎06-14-2013

Hi,

The destination "any" in the ACL "deny" rule will basically block traffic to any destination network.

If you are worried about traffic inside that same network 172.20.17.0/24 then you should notice that that traffic newer crosses the ASA. All traffic inside the same subnet never need to send data to their gateway but directly to the other host.

If we look at the ACL example again.

object-group network INSIDE-ALLOWED-NETWORKS

network-object 192.168.17.0 255.255.255.0

network-object 10.10.17.0 255.255.255.0

access-list INSIDE-IN line 1 remark Allow traffic from 172.20.17.0/24 to Local LAN networks

access-list INSIDE-IN line 2 permit ip 172.20.17.0 255.255.255.0 object-group INSIDE-ALLOWED-NETWORKS

access-list INSIDE-IN line 3 remark Deny traffic from 172.20.17.0/24 to any other networks

access-list INSIDE-IN line 4 deny ip 172.20.17.0 255.255.255.0 any

We first define an "object-group" inside which we list all the networks (or hosts) to which this source network NEEDS to be able to connect to. These networks/hosts are located behind some other interface on the ASA then the source network.
We then start configuring the ACL with a rule that permits traffic to those local LAN networks and we use the "object-group" to tell those destination networks.
The next rule will deny any other traffic from this source network. And since you have allowed traffic to the other LAN networks in the earlier rule then you will naturally only be blocking the traffic bound to Internet

- Jouni