Solved: How to block a Lan ip to use wan resources

prashantrecon · ‎11-13-2011

Hi ,

I am getting to many teardown tcp connection for outside interface.

i want to block this ip using CISCO IPS or using A access-list in ASA 5520 .

How can i do that.

Regards,

Prashant.

varrao · ‎11-14-2011

Hi Prashant,

You would need to do that from the ACL, you can try this:

access-list inside_out deny ip host 192.168.1.1 any

access-list inside_out permit ip any any

access-group inside_out in interface inside

Remember to add the ip any any access-list at the bottom otherwise, it would block access to other ip's as well.

Hope that helps

Thanks,

Varun

Thanks,
Varun Rao

varrao · ‎11-13-2011

Hi Prashant,

If the traffic that you want to block is coming from internet, then you can use the access-list below;

access-list outside_access_in deny ip host any

access-group outside_access_in in interface outside

or you can also shun that ip, using:

shun

this would have the firewall drop the packet without even processing the ACL for it.

Here's the command reference:

Hope that helps.

Thanks,

Varun

Thanks,
Varun Rao

prashantrecon · ‎11-14-2011

Hi Varun,

i am getting to many connection from a internal ip 192.68.1.1 ok i want to block this for any destination (Public IP)

Can i do this by IPS ?

if yes please guide me.

Otherwise we have a choice to do that using access-list.

Regards,

Prashant

varrao · ‎11-14-2011

Hi Prashant,

You would need to do that from the ACL, you can try this:

access-list inside_out deny ip host 192.168.1.1 any

access-list inside_out permit ip any any

access-group inside_out in interface inside

Remember to add the ip any any access-list at the bottom otherwise, it would block access to other ip's as well.

Hope that helps

Thanks,

Varun

Thanks,
Varun Rao