05-08-2018 10:27 AM - edited 03-08-2019 02:57 PM
Hi,
I’m having an ASA 5505 and I’ve added a Deny rule in the outside_access_in group which block a group of IPs to reach my ASA and internal network. My ASA was connected to the ISP Directly, now the ISP changed the modem and I had install a new router to support loopback (as ASA will not support it) and I’ve installed a C881 between ASA and modem and configured both of them, I can access the net from inside and my webserver is reachable from outside (htttp & ftp)
But now the deny rule is not effective and any IP can reach the ASA and my webserver as well.
The config is as follows:
In this case is it advised to block on router and not on the ASA? Or my whole setup should be changed?
Thank you.
05-08-2018 11:10 AM
Hello,
so your setup now is:
ASA --> 881 --> ISP ?
Basically, you would only need to block access on the 881. Can you post the configs of your 881 and the ASA ?
05-08-2018 11:47 AM
ASA --> 881 --> ISP ? yes 100%
please find attached the the router config, and which part of ASA conf you need? because it has a huge lists of IPs
05-08-2018 01:36 PM
Hello,
--> Deny rule on outside_access_in to block from the Denied_access group to webserver on all ports which is not working.
This is actually what I am looking for...
05-08-2018 01:57 PM
access-list outside_access_in extended permit tcp any host 172.27.1.4 eq www
access-list outside_access_in extended deny object-group All object-group Denied_Access any
do you think:
access-list outside_access_in extended deny object-group All object-group Denied_Access any
should be before :
access-list outside_access_in extended permit tcp any host 172.27.1.4 eq www
also during my tests now I found out that browsers will keep cashing of the page I'm testing so every time I have to do a lot of refresh or clear cache to get the result of my access list rule, or test on another protocol.
05-08-2018 02:11 PM
I did a test or my mobile Ip it blocked it, but whe I add it to the network object group it is not working, do you think the group has a limit of records? because this group has over the 2000 blocked IPs, does it mae sense?
05-08-2018 02:27 PM
Hello,
indeed the access list should look like the below, otherwise the first match would be to allow any www access to host 172.27.1.4:
access-list outside_access_in extended deny object-group All object-group Denied_Access any
access-list outside_access_in extended permit tcp any host 172.27.1.4 eq www
The caching is a function of the browser. In Chrome, you can disable caching altogether:
https://www.technipages.com/google-chrome-how-to-completely-disable-cache
05-08-2018 11:55 AM
05-11-2018 02:57 PM
I found out that even the block IP (DENY) is at the at the top of ACL I have to apply it, remove the PERMIT rule and aooly it again, only in this case it will work, otherwise the IP will be able to access.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide