06-22-2014 01:41 AM - edited 03-11-2019 09:21 PM
could you please show me how to deny specific network from access internet on ASA 5510 .
06-22-2014 08:40 AM
Please refer to the Configuration Guide and Command Reference. Here are the basics:
1. Make an object defining that VLAN:
object network restricted_vlan
subnet <address and mask>
2. Build the access list, making sure to allow other traffic after denying the desired network:
access-list extended INSIDE_OUT deny ip object restricted_vlan any
access-list extended INSIDE_OUT permit ip any any
3. Apply it to your interface:
access-group INSIDE_OUT in interface inside
The above assumes your interface is named "inside" and there was no pre-existing ACL applied to it.
06-22-2014 07:30 PM
Hi Rafat,
If you want exclude a specific network from accessing the Internet, all you have to do is, exclude that specific network from dynamic-nat, below config includes only the network I want to be in dynamic nat to outside interface of the firewall.
Those network not in the object-group "inside-networks-for-dyna-nat" will not be subjected to dynamic nat.
object-group network inside-networks-for-dyna-nat
network-object 192.168.200.0 255.255.255.0
network-object 192.168.210.0 255.255.255.0
access-list inside-nat-out extended permit ip object-group inside-networks-for-dyna-nat any
global (outside) 1 interface
nat (inside) 1 access-list inside-nat-out
Hope this helps.
Thanks
Rizwan Rafeek
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide