Re: IP traffic blocking cisco ASAS 5525

yogesh1 · ‎12-17-2018

Hi All,

Good day to all i need to block traffic of particular IP range 192.168.1.0/24 in our Cisco ASA 5525 firewall.

Is there any command by which we can block all the traffic from particular IP range?/

johnlloyd_13 · ‎12-18-2018

hi,

you can use ACL on the ASA and define if it's an inbound or outbound blocking/filter.

btw, are you using FirePOWER on the ASA 5525?

yogesh1 · ‎12-18-2018

Dear John,

Please find the running config below from firewall & please suggest ACL commands for blocking traffic from particular IP range.

PANASONIC-CPT-ASA1# sh run
PANASONIC-CPT-ASA1# sh running-config
: Saved

:
: Serial Number: FCH221871KE
: Hardware:   ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(2)
!
hostname PANASONIC-CPT-ASA1
enable password $sha512$5000$Q7Up4PdawC5OTTdh3+wOdQ==$2Y6IisiAUF5WfrvUgmQpqA== pbkdf2
names

!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 197.xx.xx.xx
!
interface GigabitEthernet0/1
no nameif
security-level 100
no ip address
!
interface GigabitEthernet0/1.70
vlan 70
nameif VOIP
security-level 100
ip address 172.xx.xx.xx
!
interface GigabitEthernet0/1.100
vlan 100
nameif inside
security-level 100
ip address 10.xx.xx.xx
!
interface GigabitEthernet0/2
no nameif
security-level 100
no ip address
!
interface GigabitEthernet0/3
nameif WIFI
security-level 50
ip address 192.xx.xx.xx
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
no nameif
security-level 100
no ip address
!
boot system disk0:/asa982-smp-k8.bin
ftp mode passive
object network LAN-SUBNET
subnet 10.xx.xx.xx.xx
object network VOIP-SUBNET
subnet 172.xx.xx.xx
object network REMOTE_SUBNET_JHB
subnet 10.xx.xx.xx
object network LOCAL-SUBNET
subnet 10.xx.xx.xx
object network NETWORK_OBJ_10.xx.xx.xx
subnet 10.xx.xx.xx
object network PABX_Remote_Access
host 172.xx.xx.xx
object-group network PANASONIC_MUMBAI
network-object 10..xx.xx.xx

object-group network durban_network_group
network-object object NETWORK_OBJ_10.xx.xx.xx
object-group network panasonic_durbongroup
network-object 10.xx.xx.xx
access-list outside_access_in extended permit ip any object LAN-SUBNET
access-list outside_access_in extended permit ip any object VOIP-SUBNET
access-list global_access extended permit ip any any
access-list global_access extended permit icmp any any
access-list internet_access standard permit 10.xx.xx.xx
access-list internet_access_all extended permit ip any any
access-list internet_access_all extended permit icmp any any
access-list VOIP_access_in extended permit ip any any
access-list JHB_ACL extended permit ip object LOCAL-SUBNET object REMOTE_SUBNET_JHB
access-list intoout extended permit ip any any
access-list outside_cryptomap extended permit ip object LOCAL-SUBNET object-group PANASONIC_MUMBAI
access-list outside_cryptomap_1 extended permit ip object LAN-SUBNET object-group panasonic_durbongroup
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu VOIP 1500
mtu inside 1500
mtu WIFI 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-782.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static LOCAL-SUBNET LOCAL-SUBNET destination static PANASONIC_MUMBAI PANASONIC_MUMBAI no-proxy-arp route-lookup
nat (inside,outside) source static LOCAL-SUBNET LOCAL-SUBNET destination static REMOTE_SUBNET_JHB REMOTE_SUBNET_JHB no-proxy-arp route-lookup
nat (VOIP,outside) source dynamic VOIP-SUBNET interface
nat (inside,outside) source static LAN-SUBNET LAN-SUBNET destination static NETWORK_OBJ_10.xx.xx.xx NETWORK_OBJ_10..xx.xx.xx no-proxy-arp route-lookup
nat (inside,outside) source static LAN-SUBNET LAN-SUBNET destination static panasonic_durbongroup panasonic_durbongroup no-proxy-arp route-lookup
!
object network LAN-SUBNET
nat (any,outside) dynamic interface
object network PABX_Remote_Access
nat (VOIP,outside) static 197.98.191.39 service tcp www 8085
access-group internet_access_all in interface outside
access-group VOIP_access_in in interface VOIP
route outside 0.0.0.0 0.0.0.0 197.xx.xx.xx
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 45.xx.xx.xx 255.255.255.255 outside
http 45.xx.xx.xx 255.255.255.255 outside
http 41.xx.xx.xx outside
http 41.xx.xx.xx outside
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set PZA_TO_MUM_ASA_TO_FORTIGATE esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set PZA_TO_MUM_ASA_TO_FORTIGATE mode transport
crypto ipsec ikev1 transform-set JHB_TRANSFORM esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 1.xx.xx.xx
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-

3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set peer 196.xx.xx.xx
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-

3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 2 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 10 match address JHB_ACL
crypto map outside_map 10 set peer 196.xx.xx.xx
crypto map outside_map 10 set ikev1 transform-set JHB_TRANSFORM
crypto map outside_map 10 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 10 set security-association lifetime seconds 28800
crypto map outside_map interface outside
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=197.xx.xx.xx,CN=PANASONIC-CPT-ASA
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
certificate 6e322b5b
    308202e4 308201cc a0030201 0202046e 322b5b30 0d06092a 864886f7 0d01010b
     4d92 1f08eba1 e35e45fa d8184afe
    c36169d6 a4acff4c
quit
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 513fb9743870b73440418d30930699ff
    30820538 30820420 a0030201 02021051 3fb97438 70b73440 418d3093 0699ff30
    0d06092a 864886f7 0d01010b 05003081 ca310b30 09060355 04061302 55533117
    30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
    13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
    0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
    20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
    65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
    65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
    33313033 31303030 3030305a 170d3233 31303330 32333539 35395a30 7e310b30
    09060355 04061302 5553311d 301b0603 55040a13 1453796d 616e7465 6320436f
    72706f72 6174696f 6e311f30 1d060355 040b1316 53796d61 6e746563 20547275
    7374204e 6574776f 726b312f 302d0603 55040313 2653796d 616e7465 6320436c
    61737320 33205365 63757265 20536572 76657220 4341202d 20473430 82012230
    0 791353 e75e2f2d
    4d1b6d40 15522bf7 87897812 816ed94d aa2d78d4 c22c3d08 5f87919e 1f0eb0de
    30526486 89aa9d66 9c0e760c 80f274d8 2af8b83a ced7d60f 11be6bab 14f5bd41
    a0226389 f1ba0f6f 2963662d 3fac8c72 c5fbc7e4 d40ff23b 4f8c29c7
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh stricthostkeycheck
ssh 41.xx.xx.xx outside
ssh 45.xx.xx.xx outside
ssh 41.xx.xx.xx outside
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
dhcpd lease 28800
dhcpd domain panasonic.co.in
!
dhcpd address 10.xx.xx.xx inside
dhcpd dns 10.xx.xx.xx interface inside
dhcpd lease 28800 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl cipher default low
ssl cipher tlsv1 low
ssl cipher tlsv1.1 low
ssl cipher tlsv1.2 low
ssl cipher dtlsv1 low
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 outside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 outside vpnlb-ip
group-policy GroupPolicy_103.xx.xx.xx internal
group-policy GroupPolicy_103.xx.xx.xx attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy_196.xx.xx.xx internal
group-policy GroupPolicy_196.xx.xx.xx attributes
vpn-tunnel-protocol ikev1 ikev2
dynamic-access-policy-record DfltAccessPolicy
username panasonic password $sha512$5000$VEFH27ZwEY06SyNYUHWApQ==$I59sIezhAPm2fCTWNFTMqA== pbkdf2 privilege 15
username t6f password $sha512$5000$x7zK514rRE8Jm+qX4meVug==$LgcHL+JREH3eByTw3m9wxQ== pbkdf2 privilege 15
username yogesh password $sha512$5000$KNBPIwRA/y/aC9dae03Iag==$AlOv8RCErRpDH44sho2IWg== pbkdf2
tunnel-group 103.xx.xx.xx type ipsec-l2l
tunnel-group 103.xx.xx.xx general-attributes
default-group-policy GroupPolicy_103.xx.xx.xx
tunnel-group 103.xx.xx.xx ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 196.xx.xx.xx type ipsec-l2l
tunnel-group 196.xx.xx.xx ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 196.xx.xx.xx type ipsec-l2l
tunnel-group 196.xx.xx.xx general-attributes
default-group-policy GroupPolicy_196.xx.xx.xx
tunnel-group 196.xx.xx.xx ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 remote-authentication certificate
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:4d9846026d579211f1977ab5fc615207
: end
PANASONIC-CPT-ASA1#
PANASONIC-CPT-ASA1#
PANASONIC-CPT-ASA1#
PANASONIC-CPT-ASA1#
PANASONIC-CPT-ASA1#
PANASONIC-CPT-ASA1#
PANASONIC-CPT-ASA1#
PANASONIC-CPT-ASA1#
PANASONIC-CPT-ASA1#
PANASONIC-CPT-ASA1#
PANASONIC-CPT-ASA1#
PANASONIC-CPT-ASA1#
PANASONIC-CPT-ASA1#
PANASONIC-CPT-ASA1#
PANASONIC-CPT-ASA1#
PANASONIC-CPT-ASA1#
PANASONIC-CPT-ASA1#
PANASONIC-CPT-ASA1#
PANASONIC-CPT-ASA1#
PANASONIC-CPT-ASA1#
PANASONIC-CPT-ASA1#
PANASONIC-CPT-ASA1#
PANASONIC-CPT-ASA1#

yogesh1 · ‎01-03-2019

Dear All,

Can you please help?

LukesWANadventure · ‎01-04-2019

Something like "access-list XXX deny ip 192.168.1.0 0.0.0.255 any" should do the trick. Remember to enter an allow all line after this.