07-19-2017 01:09 PM - edited 03-05-2019 08:52 AM
Hi guys
Really hope someone can help with this, it's driving me up the wall. I have an ASA with a number of ACL's configured (examples below):
access-list Inside_nat0_outbound extended permit ip 10.154.246.0 255.255.254.0 object-group All_HQ_VPN_Protected_Networks
access-list Outside_20_cryptomap remark This rule protects traffic destined for HQ's internal private networks.
access-list Outside_20_cryptomap extended permit ip object-group BLADEInternal object-group All_HQ_VPN_Protected_Networks
access-list Inside_access_in extended permit ip object-group BLADEInternal object-group DM_INLINE_NETWORK_5
access-list Outside_access_in extended permit tcp object data.meetingmatrix.com 10.154.246.0 255.255.254.0 object-group WebServices
I need to deny Internet traffic temporarily. When I add a firewall rule on the ASDM gui, it shows on command line like this:
access-list Inside_nat0_outbound extended permit ip 10.154.246.0 255.255.254.0 object-group All_HQ_VPN_Protected_Networks
access-list Outside_20_cryptomap remark This rule protects traffic destined for HQ's internal private networks.
access-list Outside_20_cryptomap extended permit ip object-group BLADEInternal object-group All_HQ_VPN_Protected_Networks
access-list Inside_access_in extended permit ip object-group BLADEInternal object-group DM_INLINE_NETWORK_5
access-list Outside_access_in extended permit tcp object data.meetingmatrix.com 10.154.246.0 255.255.254.0 object-group WebServices
access-list Inside_access_in_1 extended deny ip any any
Two questions:
Thank you
07-19-2017 05:09 PM
Hi,
When creating the access-list rule, you need to choose the access-list you are adding the rule to. You probably just chose the interfaces and the firewall created a new access-list for you.Inside_access_in_1 is probably an access-list the firewall created for you.
If the access-list for your Internet traffic is Outside_access_in, then you will need to choose this access-list in asdm and apply the deny rule to this access-list.
Thanks
John
07-19-2017 09:44 PM
Ok thanks for the reply.
So would I have to always have the deny rule in the firewall. Would it be the same thing if I added it to the ACL manager?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide