Re: Blocking IPs to access my ASA behind a router

ledaouk · ‎05-08-2018

Hi,

I’m having an ASA 5505 and I’ve added a Deny rule in the outside_access_in group which block a group of IPs to reach my ASA and internal network. My ASA was connected to the ISP Directly, now the ISP changed the modem and I had install a new router to support loopback (as ASA will not support it) and I’ve installed a C881 between ASA and modem and configured both of them, I can access the net from inside and my webserver is reachable from outside (htttp & ftp)

But now the deny rule is not effective and any IP can reach the ASA and my webserver as well.

The config is as follows:

Static NAT on Router C881 from the loopback to the webserver ip
Static NAT on ASA 5505 to on inside from web server to webserver itself on port 80 & 21
permit rule on outside_access_in to allow access from any to the router/ASA subnet and the webserver on 80 and 21
Deny rule on outside_access_in to block from the Denied_access group to webserver on all ports which is not working.

In this case is it advised to block on router and not on the ASA? Or my whole setup should be changed?

Thank you.

Georg Pauwen · ‎05-08-2018

Hello,

so your setup now is:

ASA --> 881 --> ISP ?

Basically, you would only need to block access on the 881. Can you post the configs of your 881 and the ASA ?

ledaouk · ‎05-08-2018

ASA --> 881 --> ISP ? yes 100%

please find attached the the router config, and which part of ASA conf you need? because it has a huge lists of IPs

Georg Pauwen · ‎05-08-2018

Hello,

--> Deny rule on outside_access_in to block from the Denied_access group to webserver on all ports which is not working.

This is actually what I am looking for...

ledaouk · ‎05-08-2018

access-list outside_access_in extended permit tcp any host 172.27.1.4 eq www
access-list outside_access_in extended deny object-group All object-group Denied_Access any

do you think:

access-list outside_access_in extended deny object-group All object-group Denied_Access any

should be before :

access-list outside_access_in extended permit tcp any host 172.27.1.4 eq www

also during my tests now I found out that browsers will keep cashing of the page I'm testing so every time I have to do a lot of refresh or clear cache to get the result of my access list rule, or test on another protocol.

ledaouk · ‎05-08-2018

I did a test or my mobile Ip it blocked it, but whe I add it to the network object group it is not working, do you think the group has a limit of records? because this group has over the 2000 blocked IPs, does it mae sense?

Georg Pauwen · ‎05-08-2018

Hello,

indeed the access list should look like the below, otherwise the first match would be to allow any www access to host 172.27.1.4:

access-list outside_access_in extended deny object-group All object-group Denied_Access any

access-list outside_access_in extended permit tcp any host 172.27.1.4 eq www

The caching is a function of the browser. In Chrome, you can disable caching altogether:

https://www.technipages.com/google-chrome-how-to-completely-disable-cache

ledaouk · ‎05-08-2018

sorry here is the router config

ledaouk · ‎05-11-2018

I found out that even the block IP (DENY) is at the at the top of ACL I have to apply it, remove the PERMIT rule and aooly it again, only in this case it will work, otherwise the IP will be able to access.