- Posts: 11
- Thank you received: 0
Blocking Internet Access on ASA 5505
17 years 4 months ago #22345
by jrecto
Blocking Internet Access on ASA 5505 was created by jrecto
I am new to the Cisco firewall and need some help with blocking internet access to specific users.
I have a group of IP address that are not allowed to have Internet access. How would I go about setting this up?
Thanks!!
Jasper
I have a group of IP address that are not allowed to have Internet access. How would I go about setting this up?
Thanks!!
Jasper
17 years 4 months ago #22347
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: Blocking Internet Access on ASA 5505
If you just want to block all access through the ASA for a group of IP Addresses you can do the following;
Create an Object Group
Create an Access-List
Apply the Access-List.
The creation of the Object Group will depend on the group of IP Addresses. If they are a continuous group that can be mapped using a subnet mask. i.e. 10.10.10.1 to 10.10.10.15 you could do 10.10.10.0/28 (10.10.10.0 255.255.255.240) which will cover this range. You can then create the Object Group by typing this
[code:1]
object-group network deny_ips
network-object 10.10.10.0 255.255.255.240
[/code:1]
Then you can create an access-list
[code:1]
access-list inside-int extended deny ip object-group deny_ips any
access-list inside-int extended permit ip any any
[/code:1]
Then you need to apply the access list
[code:1]
access-group inside-int in interface inside
[/code:1]
Thats basically how you would do what you asked, however i would not simply create an access list to deny a specific range of ip's and allow all other traffic out, you need to develop a proper policy on what traffic is allowed out of the network and create the access-list accordingly.
Cheers
Wayne
Create an Object Group
Create an Access-List
Apply the Access-List.
The creation of the Object Group will depend on the group of IP Addresses. If they are a continuous group that can be mapped using a subnet mask. i.e. 10.10.10.1 to 10.10.10.15 you could do 10.10.10.0/28 (10.10.10.0 255.255.255.240) which will cover this range. You can then create the Object Group by typing this
[code:1]
object-group network deny_ips
network-object 10.10.10.0 255.255.255.240
[/code:1]
Then you can create an access-list
[code:1]
access-list inside-int extended deny ip object-group deny_ips any
access-list inside-int extended permit ip any any
[/code:1]
Then you need to apply the access list
[code:1]
access-group inside-int in interface inside
[/code:1]
Thats basically how you would do what you asked, however i would not simply create an access list to deny a specific range of ip's and allow all other traffic out, you need to develop a proper policy on what traffic is allowed out of the network and create the access-list accordingly.
Cheers
Wayne
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
17 years 4 months ago #22348
by jrecto
Replied by jrecto on topic Re: Blocking Internet Access on ASA 5505
Thanks Wayne for the reply.
Forgive me but how do you apply the code? I am using the ASDM interface and not the command line interface. I created the object group. I created the Deny access rule on the inside interface for incoming traffic. I associated it with the No Access group and choose the IP protocol.
When you say apply it, how do you do that? Or is saving that rule applying it?
I need to have this No Access group for machines on our shop floor that have windows based systems. We don’t want our machine operators using their machines to access the Internet. I not sure what other options I have besides creating a no access group.
Thanks!
Jasper
Forgive me but how do you apply the code? I am using the ASDM interface and not the command line interface. I created the object group. I created the Deny access rule on the inside interface for incoming traffic. I associated it with the No Access group and choose the IP protocol.
When you say apply it, how do you do that? Or is saving that rule applying it?
I need to have this No Access group for machines on our shop floor that have windows based systems. We don’t want our machine operators using their machines to access the Internet. I not sure what other options I have besides creating a no access group.
Thanks!
Jasper
17 years 4 months ago #22356
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: Blocking Internet Access on ASA 5505
Sorry i am not sure with the ASDM as i don't use it.
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
17 years 4 months ago #22485
by Bikramjit
Replied by Bikramjit on topic Re: Blocking Internet Access on ASA 5505
Hey,
If you want to put those commands from ASDM, go to tools->Command Line interface->Type the commands in the box->Send->Apply
Hope this helps!!
If you want to put those commands from ASDM, go to tools->Command Line interface->Type the commands in the box->Send->Apply
Hope this helps!!
Time to create page: 0.127 seconds