cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
226
Views
0
Helpful
8
Replies

Turn off/ Block Internet for a subnet on Cisco ASA 5515

Chag
Beginner
Beginner

Is there any method to turn off internet on a particular subnet on Cisco ASA 5515?

8 Replies 8

Seb Rupik
VIP Advisor VIP Advisor
VIP Advisor

Hi there,

You can create an inbound ACL on the interface where the subnet is routed, blocking traffic destined to 0.0.0.0/0, but remember to place an allow statement about it to permit communication to your desired internal networks.

 

If you can share your config and the subnet in question we can provide the exact configuration required.

 

cheers,

Seb.

balaji.bandi
VIP Guru VIP Guru
VIP Guru

its all depends on the config you using. if you NAT any any and ACL have all allowed to go internet, that will be need to change.

you make changes only required IP to NAT or ACP/ACL to allow required for Internet.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Jitendra Kumar
Rising star
Rising star
try with below
ciscoasa(config)# object network insidenet
ciscoasa(config-network-object)# subnet 192.168.1.0 255.255.255.0
ciscoasa(config-network-object)# exit
ciscoasa(config)# access-list Restrictinsidenet extended deny ip object insidenet any
ciscoasa(config)# access-g Restrictinsidenet out interface inside
Thanks,
Jitendra

Marius Gunnerud
VIP Advisor VIP Advisor
VIP Advisor

Are you looking to block all internet access or just specific websites?

--
Please remember to select a correct answer and rate helpful posts

I am will to block entire internet access, but need to access machines in lan.

you can take help from below Tutorial very easy to understand if you are using ASDM for management.

https://youtu.be/PghlbheWka0

 

you can also create an ACL for that 

Thanks,
Jitendra

Then I would do the following and assign it to the interface that you want to restrict access to the internet from.

object network RESTRICTED_SUBNET
  subnet 10.1.1.0 255.255.255.0
object-group network RFC1918
  network-object 10.0.0.0 255.0.0.0
  network-object 172.16.0.0 255.240.0.0
  network-object 192.168.0.0 255.255.0.0
access-list RESTRICT_ACCESS_ACL extended permit ip object RESTRICTED_SUBNET object-group RFC1918
access-list RESTRICT_ACCESS_ACL extended deny ip object RESTRICTED_SUBNET any
access-group RESTRICT_ACCESS_ACL interface INSIDE_RESTRICTED
 
Remember that RESTRICTED_SUBNET, RFC1918, and RESTRICT_ACCESS_ACL are user defined values so you can change these to what you like if needed.
INSIDE_RESTRICTED is the interface that connects to the network you are trying to restrict.  This is most likely already configured and you need to change this value as needed.
--
Please remember to select a correct answer and rate helpful posts

you can do this by PBR where allow all other subnet to route to internet and deny specific one from route out.

you can do this by not config NAT dynamic for this subnet.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers