How to add a drop rule to a Cisco ASA


The syntax for adding a rule in an ASA device to deny traffic for a group of IPs, i.e. a Blocklist is as follows:

SSH to the Cisco as usual and enter enable mode and configure terminal mode:


enter the password

$conf t


Now that you are elevated and in configuration mode, use the following to generate a new group:

#object-group network DenyIP

DenyIP is simply the name I use for the group.

Now we will add an IP to this list with:

#network-object host

We've just added the IP to the object group "DenyIP"

Now that we have a list to add IPs to, we can create a rule that will deny traffic to anything on this list:

#access-list outside_access_in extended deny IP object-group DenyIP

That's it. If this is a preexisting Cisco, you may need to make sure this rule is above the rest. You can do that with:

"no access-list outside_access_in extended deny ip object-group DenyIP"

This will nuke the rule you just created. Now let's do that again, but put it up top:

#access-list outside_access_in line 2 extended deny ip object-group DenyIP

This will create that ACL and place it in line2. Line 1 is usually the rule for support access. Just use the appropriate line number and make sure the Deny rule is in place before any allow all type rules.

#wr mem

Do not forget to save your work!

For the new more current Ciscos, the outside/ inside syntax is now Public/ Private. Basically, so a sh ru to see the configuration that you need to follow. Or a sh ver to see the version of IOS on the device.


Was this article helpful?
0 out of 0 found this helpful

Have more questions? Contact our support instantly via Live Chat