06-14-2013 05:41 AM - edited 03-11-2019 06:58 PM
I've got an IP address range (172.20.17.x) on the inside interface that I want to deny internet access to. I created a deny statement for the subnet and put the destination as outside interface but nothing is being blocked, they can still access internet. Is this becuase 172.20.17.x is being nated?
06-14-2013 05:49 AM
Hi,
That wont work. The configuration basicly only blocks traffic towards your ASAs "outside" IP address and nothing else. And no connections can be made to the "outside" IP address from behind some LAN interface of the ASA anyway. (even without the ACL statement)
You will need to do the following things
If you dont first ALLOW the traffic before the DENY statement then you will essentially block any traffic through the firewall from that source network.
To use a very simply example
object-group network INSIDE-ALLOWED-NETWORKS
network-object 192.168.17.0 255.255.255.0
network-object 10.10.17.0 255.255.255.0
access-list INSIDE-IN line 1 remark Allow traffic from 172.20.17.0/24 to Local LAN networks
access-list INSIDE-IN line 2 permit ip 172.20.17.0 255.255.255.0 object-group INSIDE-ALLOWED-NETWORKS
access-list INSIDE-IN line 3 remark Deny traffic from 172.20.17.0/24 to any other networks
access-list INSIDE-IN line 4 deny ip 172.20.17.0 255.255.255.0 any
Hope this helps
If it answered your question please mark the reply as the correct answer.
Otherwise ask more if needed
- Jouni
06-14-2013 05:53 AM
This is how I have it setup. I have lots of permit statements on my inside interface. Now I just want to deny range 172.20.17.x from accessing the internet. What am I missing. Can this not be done?
06-14-2013 05:56 AM
Hi,
As I said, you will first need to make sure you permit the local traffic in the ACL if needed. And then you configure a statement which denies traffic from that source network towards "any" destination and it should be fine.
If you have configured a deny rule and traffic isnt blocked then you have configure the deny rule AFTER the permit rules and it will never be hit.
Though naturally as we cant see the exact interface ACL you are using I cant say for sure what the situation is at the moment.
Are you using a proxy for web traffic?
- Jouni
06-14-2013 06:00 AM
Here is the deny statment on the interface, it is the first entry on the ACL.
access-list inside_access_in extended deny tcp object CAD_No-Internet interface outside object-group DM_INLINE_TCP_5
06-14-2013 06:07 AM
Hi,
As you can see it doesnt match what I suggest.
Your ACL destination is still the IP address of the "outside" interface.
That IP address is not the target of ANY Internet traffic.
The destination needs to be "any" not "interface outside". The "interface outside" doesnt mean traffic destined to "outside" but traffic destined to the single IP address that is configured on your "outside" interface.
If you have other interfaces than "inside" and "outside" then you will have to make sure you allow traffic to those networks before you configure the deny statement with the "any" destination. That is what I gave an example in the first reply
Hope this helps
- Jouni
06-14-2013 06:11 AM
Ok I see now. If I change it to deny destination any does that include its own interface? I need the 172.20.14.x range to still be able to access networks on the inside interface.
06-14-2013 06:36 AM
Hi,
The destination "any" in the ACL "deny" rule will basically block traffic to any destination network.
If you are worried about traffic inside that same network 172.20.17.0/24 then you should notice that that traffic newer crosses the ASA. All traffic inside the same subnet never need to send data to their gateway but directly to the other host.
If we look at the ACL example again.
object-group network INSIDE-ALLOWED-NETWORKS
network-object 192.168.17.0 255.255.255.0
network-object 10.10.17.0 255.255.255.0
access-list INSIDE-IN line 1 remark Allow traffic from 172.20.17.0/24 to Local LAN networks
access-list INSIDE-IN line 2 permit ip 172.20.17.0 255.255.255.0 object-group INSIDE-ALLOWED-NETWORKS
access-list INSIDE-IN line 3 remark Deny traffic from 172.20.17.0/24 to any other networks
access-list INSIDE-IN line 4 deny ip 172.20.17.0 255.255.255.0 any
- Jouni
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide