Basic access-list question

Answered Question
Mar 24th, 2007
User Badges:

Forgive me for such a basic question...


I currently allow ftp access from my outside interface to the server on my inside interface:

static (inside,outside) 192.168.254.21 192.168.0.60 netmask 255.255.255.255

access-list in permit tcp any host 192.168.254.21 eq ftp

access-group in in interface outside


Now, I don't like restricting based on IP address, but I have noticed 2 or 3 IP addresses (that seem to be static) that are attacking my ftp server.


When I write my access-list 'deny' statement for those IP addresses, am I going to apply it to the outside interface or the inside interface; as I currently allow everyone to access my ftp server from my outside interface...


In what order are access-lists evaluated?


(I'm 40 something and some things are not sinking in as quickly as when I was 20 something)

Correct Answer by acomiskey about 10 years 4 months ago

The denies must be before the permit any or they won't do anything. It goes from the top down and stops at the first match.

Correct Answer by Jon Marshall about 10 years 4 months ago

Hi


You should apply it on the outside interface access-list. So


access-list in deny tcp host "bad ip address1" host 192.168.254.21 eq ftp

access-list in deny tcp host "bad ip address2" host 192.168.254.21 eq ftp

etc.. for bad ip addresses

access-list in permit tcp any host 192.168.254.1 eq ftp


Know what you mean about things taking longer to sink in :-)


HTH


Jon


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Jon Marshall Sat, 03/24/2007 - 18:47
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


You should apply it on the outside interface access-list. So


access-list in deny tcp host "bad ip address1" host 192.168.254.21 eq ftp

access-list in deny tcp host "bad ip address2" host 192.168.254.21 eq ftp

etc.. for bad ip addresses

access-list in permit tcp any host 192.168.254.1 eq ftp


Know what you mean about things taking longer to sink in :-)


HTH


Jon


srberg5219 Sat, 03/24/2007 - 19:07
User Badges:

I might be over complicating things, but, the ACL currently letting all ftp traffic in on my outside interface is already in place.

Do I need to first delete this rule, go back write my 'deny' ACLs, and then re-add my permit rule?


Or can I just add the deny rule(s) to my production PIX?

Correct Answer
acomiskey Sat, 03/24/2007 - 20:27
User Badges:
  • Green, 3000 points or more

The denies must be before the permit any or they won't do anything. It goes from the top down and stops at the first match.

srberg5219 Sat, 03/24/2007 - 20:53
User Badges:

Nothing like your boss coming to you one day and saying, "Here's a PIX. Get it working by Monday."


You the man (or woman...or tech)acomiskey!

YOU and your help is always much appreciated!

Actions

This Discussion