Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
344
Views
0
Helpful
3
Replies

Blocking traffic on ASA

BHconsultants88
Level 1
Level 1

‎06-28-2017 04:56 AM - edited ‎03-05-2019 08:46 AM

Hi everyone

I hope someone can help me with this. I'm trying to restrict traffic on a Cisco ASA (config attached). I want to block all Internet browsing from the LAN (with the exception of 3 statically assigned PC's). I also want to block users from opening emails or connecting to their mail server.

Is this possible on the ASA ACL's?

Labels:
Preview file
15 KB
0 Helpful
3 Replies 3

Julio E. Moisa
VIP Alumni
VIP Alumni

‎06-28-2017 05:40 AM

Hi 

You could use an object-group to define which IP addresses are going to be allowed to get Internet access but you need to modify to NAT, and also create the respective ACLs.

Example:

object-group network INTERNAL-NETS
network-object host 1.1.1.1
network-object host 2.2.2.2
network-object host 3.3.3.3

nat (INSIDE,OUTSIDE) source dynamic INTERNAL-NETS  interface

You could use the same object-group for the ACL, but I prefer to use other to be more flexible:

object-group network PRIVATE-NET
network-object host 1.1.1.1
network-object host 2.2.2.2
network-object host 3.3.3.3

access-list INSIDE-IN extended permit tcp object-group PRIVATE-NET any eq 80
access-list INSIDE-IN extended permit tcp object-group PRIVATE-NET any eq 443
access-list INSIDE-IN extended permit udp object-group PRIVATE-NET any eq 53
access-list INSIDE-IN extended deny tcp object-group PRIVATE-NET any 

* You can also use an object-group to collect the ports to use.

Hope it is useful

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

BHconsultants88
Level 1
Level 1
In response to Julio E. Moisa

‎06-28-2017 05:57 AM

That makes perfect sense. Thank you so much, I will try that shortly.

I'm guessing the mail aspect of it will be trickier. Or would that just be a standard ACL denying all to the mail server IP?

0 Helpful

Julio E. Moisa
VIP Alumni
VIP Alumni
In response to BHconsultants88

‎06-28-2017 06:07 AM

I think for the email, you can allow the used ports 110,465, 25, etc. as you are already filtering by IP you can open the ports and destination IP cannot be required unless you want be more specific.

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful
Customers Also Viewed These Support Documents