Only block from certain subnet in Cisco ASA

06-Nov 11.33.45

version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Switch
no aaa new-model
switch 1 provision ws-c3750g-24t
system mtu routing 1500
ip routing
ip dhcp pool 10pool
lease 7
ip dhcp pool 20pool
lease 7
crypto pki trustpoint TP-self-signed-2836849920
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2836849920
revocation-check none
rsakeypair TP-self-signed-2836849920
crypto pki certificate chain TP-self-signed-2836849920

spanning-tree mode pvst
spanning-tree portfast default
spanning-tree extend system-id
vlan internal allocation policy ascending
interface GigabitEthernet1/0/1
switchport access vlan 10
switchport mode access
interface GigabitEthernet1/0/2
interface GigabitEthernet1/0/3
interface GigabitEthernet1/0/4
interface GigabitEthernet1/0/5
interface GigabitEthernet1/0/6
interface GigabitEthernet1/0/7
interface GigabitEthernet1/0/8
interface GigabitEthernet1/0/9
interface GigabitEthernet1/0/10
interface GigabitEthernet1/0/11
interface GigabitEthernet1/0/12
interface GigabitEthernet1/0/13
switchport access vlan 20
switchport mode access
interface GigabitEthernet1/0/14
interface GigabitEthernet1/0/15
interface GigabitEthernet1/0/16
interface GigabitEthernet1/0/17
interface GigabitEthernet1/0/18
interface GigabitEthernet1/0/19
interface GigabitEthernet1/0/20
interface GigabitEthernet1/0/21
interface GigabitEthernet1/0/22
interface GigabitEthernet1/0/23
interface GigabitEthernet1/0/24
no switchport
ip address
interface Vlan1
no ip address
interface Vlan10
ip address
interface Vlan20
ip address
ip classless
ip route
ip http server
ip http secure-server
line con 0
line vty 0 4
line vty 5 15

ASA5505# sh run
ASA Version 9.2(2)4
hostname ASA5505
enable password 8Ry2YjIyt7RRXU24 encrypted
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
ftp mode passive
clock timezone GMT 7
dns domain-lookup outside
dns server-group DefaultDNS
object network obj_any
object network VLAN10
access-list dynamic-filter_acl extended permit ip any any
access-list acl-inside extended deny ip object VLAN10 any
access-list acl-inside extended permit ip any any log
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (inside,outside) dynamic interface
access-group acl-inside in interface inside
route inside 1
route inside 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns
dhcpd domain
dhcpd auto_config outside
dhcpd address inside
dhcpd dns interface inside
dhcpd enable inside
tls-proxy maximum-session 24
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-filter updater-client enable
dynamic-filter use-database
dynamic-filter enable interface outside classify-list dynamic-filter_acl
ntp server prefer
username cisco password 3USUcOPFUiMCO4Jk encrypted
class-map dynamic-filter_snoop_class
match port udp eq domain
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
policy-map dynamic-filter_snoop_policy
class dynamic-filter_snoop_class
inspect dns dynamic-filter-snoop
service-policy global_policy global
service-policy dynamic-filter_snoop_policy interface outside
prompt hostname context
no call-home reporting anonymous
hpm topN enable
: end


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s