Are there any possibilites to negate objects or groups on the Cisco ASA firewall?
E.g. I would like to make an object/group for all not private IP addresses (so a group for "Internet").
With this I could say that host A should only be able to access the Internet but no internal ressources.
On other firewall manufacturer you can work with negated groups, but on the ASA I only know the workaround like below.
I know that I could make a workaround and use the top-down principle. I can say:
rule 1: Host A is not allow to access the private networks
rule 2: Host A is allowed to access any (the rest - the Internet)
Thanks in advance
Solved! Go to Solution.