Basic access-list question

Answered Question
Mar 24th, 2007

Forgive me for such a basic question...

I currently allow ftp access from my outside interface to the server on my inside interface:

static (inside,outside) 192.168.254.21 192.168.0.60 netmask 255.255.255.255

access-list in permit tcp any host 192.168.254.21 eq ftp

access-group in in interface outside

Now, I don't like restricting based on IP address, but I have noticed 2 or 3 IP addresses (that seem to be static) that are attacking my ftp server.

When I write my access-list 'deny' statement for those IP addresses, am I going to apply it to the outside interface or the inside interface; as I currently allow everyone to access my ftp server from my outside interface...

In what order are access-lists evaluated?

(I'm 40 something and some things are not sinking in as quickly as when I was 20 something)

I have this problem too.
0 votes
Correct Answer by acomiskey about 9 years 10 months ago

The denies must be before the permit any or they won't do anything. It goes from the top down and stops at the first match.

Correct Answer by Jon Marshall about 9 years 10 months ago

Hi

You should apply it on the outside interface access-list. So

access-list in deny tcp host "bad ip address1" host 192.168.254.21 eq ftp

access-list in deny tcp host "bad ip address2" host 192.168.254.21 eq ftp

etc.. for bad ip addresses

access-list in permit tcp any host 192.168.254.1 eq ftp

Know what you mean about things taking longer to sink in :-)

HTH

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Jon Marshall Sat, 03/24/2007 - 18:47

Hi

You should apply it on the outside interface access-list. So

access-list in deny tcp host "bad ip address1" host 192.168.254.21 eq ftp

access-list in deny tcp host "bad ip address2" host 192.168.254.21 eq ftp

etc.. for bad ip addresses

access-list in permit tcp any host 192.168.254.1 eq ftp

Know what you mean about things taking longer to sink in :-)

HTH

Jon

srberg5219 Sat, 03/24/2007 - 19:07

I might be over complicating things, but, the ACL currently letting all ftp traffic in on my outside interface is already in place.

Do I need to first delete this rule, go back write my 'deny' ACLs, and then re-add my permit rule?

Or can I just add the deny rule(s) to my production PIX?

Correct Answer
acomiskey Sat, 03/24/2007 - 20:27

The denies must be before the permit any or they won't do anything. It goes from the top down and stops at the first match.

srberg5219 Sat, 03/24/2007 - 20:53

Nothing like your boss coming to you one day and saying, "Here's a PIX. Get it working by Monday."

You the man (or woman...or tech)acomiskey!

YOU and your help is always much appreciated!

Actions

This Discussion