Skip to main content

Blocking Internet Access on ASA 5505

More
17 years 5 months ago #22345 by jrecto
I am new to the Cisco firewall and need some help with blocking internet access to specific users.

I have a group of IP address that are not allowed to have Internet access. How would I go about setting this up?

Thanks!!
Jasper
More
17 years 5 months ago #22347 by Smurf
If you just want to block all access through the ASA for a group of IP Addresses you can do the following;

Create an Object Group
Create an Access-List
Apply the Access-List.

The creation of the Object Group will depend on the group of IP Addresses. If they are a continuous group that can be mapped using a subnet mask. i.e. 10.10.10.1 to 10.10.10.15 you could do 10.10.10.0/28 (10.10.10.0 255.255.255.240) which will cover this range. You can then create the Object Group by typing this

[code:1]
object-group network deny_ips
network-object 10.10.10.0 255.255.255.240
[/code:1]

Then you can create an access-list

[code:1]
access-list inside-int extended deny ip object-group deny_ips any
access-list inside-int extended permit ip any any
[/code:1]

Then you need to apply the access list

[code:1]
access-group inside-int in interface inside
[/code:1]

Thats basically how you would do what you asked, however i would not simply create an access list to deny a specific range of ip's and allow all other traffic out, you need to develop a proper policy on what traffic is allowed out of the network and create the access-list accordingly.

Cheers

Wayne

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
17 years 5 months ago #22348 by jrecto
Thanks Wayne for the reply.

Forgive me but how do you apply the code? I am using the ASDM interface and not the command line interface. I created the object group. I created the Deny access rule on the inside interface for incoming traffic. I associated it with the No Access group and choose the IP protocol.

When you say apply it, how do you do that? Or is saving that rule applying it?

I need to have this No Access group for machines on our shop floor that have windows based systems. We don’t want our machine operators using their machines to access the Internet. I not sure what other options I have besides creating a no access group.

Thanks!
Jasper
More
17 years 5 months ago #22356 by Smurf
Sorry i am not sure with the ASDM as i don't use it.

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
17 years 4 months ago #22485 by Bikramjit
Hey,

If you want to put those commands from ASDM, go to tools->Command Line interface->Type the commands in the box->Send->Apply

Hope this helps!!
Time to create page: 0.145 seconds