Hi,
You can block IP's in the firewall from accessing one zone to another for example from inside to outside.
To do that, we can create network object group, add hosts to it which need to be blocked and then call that group in ACL with deny statement and permit anything else. Then apply it in inside interface inbound.
Example config using CLI:
object-group network blacklist-hosts
network-object host 192.168.10.1
network-object host 192.168.10.2
network-object host 192.168.10.3
access-list my-internet-access deny ip object-group blacklist-hosts any
access-list my-internet-access permit ip any any
!
access-group my-internet-access in interface inside
!
you can keep adding hosts in the object group called blackliist-hosts using cli or you can add it later using Rest API's
ASA cli is supported to be configure from RESTFUL API's, you need to install RESTFUL client on the ASA first then with the HTTPS API's you can make API calls for making objects or updating the objects.
For API client Installation on ASA, refer to below:
https://www.cisco.com/c/en/us/td/docs/security/asa/api/qsg-asa-api.html#34855
One more good reference for API on ASA :
https://www.networkworld.com/article/2921386/digging-deeper-into-the-cisco-asa-firewall-rest-api.html
I think ideal scenario for me to initially configure the ACL and object groups from cli as mentioned above and keep updating the object-group for blacklist-hosts using API calls.
- rate this post helpful or accepted if it helped you out
