Showing results for 
Search instead for 
Did you mean: 

Who Me Too'd this topic


Cisco ASA - Negate Firewall Objects/Groups/Rules


Are there any possibilites to negate objects or groups on the Cisco ASA firewall?
E.g. I would like to make an object/group for all not private IP addresses (so a group for "Internet").
With this I could say that host A should only be able to access the Internet but no internal ressources.

On other firewall manufacturer you can work with negated groups, but on the ASA I only know the workaround like below.

I know that I could make a workaround and use the top-down principle. I can say:
rule 1: Host A is not allow to access the private networks
rule 2: Host A is allowed to access any (the rest - the Internet)

Thanks in advance

Best regards

Who Me Too'd this topic