cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
494
Views
0
Helpful
1
Replies

Rule to block specific Host from Internet

jacenkoj33
Level 1
Level 1

So I have a task to block out a dozen or so PC from internet access on our ASA 5525 but still allow them to access intranet and servers in the DMZ. 

 

So in many attempts to block just Outside access to the internet the only way I've been able to figure out is using  Source "Inside-host IP" ,Destination Any, Service HTTP/HTTPS

 

I've tried destination Outside, destination public IP address we're pating to internet, destination of our entire range of our public IP, none of which drops the outbound packets. Whats even interesting is if I used these methods and test it in packet tracer it shows it should be blocked by the accesslist but when live that is not how it's behaving as the traffic is still allowed out. 

 

It would be easiest if I could single out a path to the internet as I have to create an additional allow rules to the DMZ as ANY is blocking everything for the source ip heading to OUTSIDE or DMZ. The is going to be when this goes live theres yet to be discovered DMZ access that will be needed causing more administration in the future. 

 

Anyone run into this and have a suggestion to do this without using the blanket ANY destination? 

 

Heres a sample of the dropped packet when the rule is live using ANY as the destination...

 

4Sep 11 201507:51:5610602310.0.0.11426293216.58.216.234443Deny tcp src inside:10.0.0.114/26293 dst outside:216.58.216.234/443 by access-group "inside_in" [0x3f928e2, 0x724aef03]

 

Thanks in advance... Not sure if you really need to see the config but if so let me know I'll post it up

1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

Assuming the ASA is only used for Internet and DMZ Access (i.e not for routing among internal networks):

1. Make an object-group with the addresses to be blocked.

2. Make an access-list to be applied to inside interface:

     a. Permit that object-group to access the DMZ

     b. Deny that object-group access to any

     c. Permit any access to any (assuming your outbound policy is otherwise open)

3. Apply the access-list to the inside interface.

Review Cisco Networking for a $25 gift card