ASA 5505 - Blocking Traffic To Specific IP Addresses

kwashington12 · ‎09-25-2012

I inherited a Cisco ASA 5505 and am trying to piggy back the device off of an established Network. Here is the basic layout:

192.168.10.1 (Core Router - Handles DHCP/DNS)

192.168.10.9 (ASA 5505 - Piggy backing off of Network)

192.168.40.x (ASA 5505 - VLAN)

I'm able to get onto the Internet without any problems. Devices from the 192.168.10x Network can not ping the inside VLAN1 (192.168.40.x). However, I would like traffic going from the inside VLAN to the Outside VLAN to be blocked, except for 192.168.10.1 and 192.168.10.9. I've tried using ACL's but end up killing my Internet connection. 192.168.10.1 is the default route and is how I get out to the Internet. Is this possible? Essentially, I'm trying to set up a small Network that guests can connect to. The idea is that they can get to the Internet, but that is it. They can't get to internal resources on the 192.168.10.x Network

Here is the config:

ASA Version 8.2(1)

!

hostname ciscoasa

enable password EeCsulrpu.9LalEE encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.40.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.10.9 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 192.168.10.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.40.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd dns 192.168.10.1

!

dhcpd address 192.168.40.5-192.168.40.100 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:aeda67798b0e31c50b0824462a759a8a

: end

singhaam007 · ‎09-26-2012

hello Jm,

you can use this command

hostname# packet-tracer input inside tcp 10.2.25.3 www 209.165.202.158 aol detailed

this will tell you where ASA drops the packet and detail key word will also show you the detailed infromation

about the reason for connection drop. then start fron there.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788

please rate if this helps.

thanks

kwashington12 · ‎09-26-2012

Hi, Amrinder!

I've looked at this in the ASDM and it says the packets are dropped. However, via a ping, packets are still going through to the 192.168.10.x Network. Also, using the example you specified (I looked at the link as well), I'm not able to get the command to run.

"packet-tracer input inside tcp 192.168.40.5 192.168.10.15 detailed"

singhaam007 · ‎09-26-2012

try like this

"packet-tracer input inside tcp 192.168.40.5 555 192.168.10.15 80 detailed"

you need to add port numbers as well. pick any source port like i did 555 and destination 80 which is web port.

input-interface: inside
input-status: up
input-line-status: up
output-interface: outside

output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

it should give you out put like this if it drops the packet.

thanks

mike13786 · ‎10-04-2012

Hello Singh,

thanks for sharing this command, its really helpfull.

thanks

bharat.rajwanshi · ‎09-27-2012

Hi JM,

the first requirement getting failed that is "Devices from the 192.168.10x Network can not ping the inside VLAN1 (192.168.40.x)" it due to subnet on 192.168.10.x has lower security level and subnet on 192.168.40.x has higher security level so it will deby by default from outside to inside.

secondly, do you want - guest users should access to the internet in network 192.168.40.x, Right? if so then try below may work for you -

on the firewall -

$enable nat-control$

nat-control

$ apply access-list for related to inside and Outsiede$

access-list INSIDE_IN permit ip 10.1.40.0 255.255.255.0 any

access-list INSIDE_IN deny ip any any

access-group INSIDE_IN in interface inside

=== this may serve your requirement, if you want to allow any outside to inside the it will require ACL & ACL-Group to be enable=== Good Luck!