Showing results for 
Search instead for 
Did you mean: 

Welcome to the Cisco Small Business Community

Have a question? Click on a topic board below to get started in the community.


ASA 5505 ASA ver 9.1 Ransomware limitation

Hello. in an attempt to stop the spread of Ransomware I am putting together a plan on how we can segregate the NAS in a second VLAN "VLAN3"

I have created the VLAN and assigned the required port to it.

I have also have 2 addresses inside that VLAN (VLAN IP and Device IP)

My Plan to limit the amount of damage ransomware damage by putting the NAS in a vlan and only allowing traffic from out Veeam server to access it. all other traffic to it should be blocked.

My Setup

IP address of the ASA is

IP DHCP range -

inside VLAN1

outside "my public IP range" over PPPOE

VLAN3 IP Address

Device in VLAN 3 can get outside (internet access) "I Know how to stop this as I don't want it"

But all devices on my LAN can ping the NAS (and I only want one device which is in VLAN1 to access it)

so I'm guessing what I am looking for here is "allow all traffic from inside host "" to host in VLAN3 and vice versa" but only these two host should be able to talk no other device can be allowed.

this is a side project to help protect our clients.."a very important side project"

I am new enough to the ASA and I would like if you could help me out with this. any information required will be given and advise is greatly appreciated, Oh CISCO community please help me with this one?

please don't assume I know lots because when it comes to the ASA5505 I am a noob. if any information is required please let me know and I will get it straight away and post back.

Kind Regards,


Simon Brooks

Instead of having trying to restrict access blah blah coming in on the inside and making it complicated,  just have an access list outbound on vlan3 interface that blocks evrything apart from Veeam as a source IP.