03-24-2007 06:22 PM - edited 03-11-2019 02:51 AM
Forgive me for such a basic question...
I currently allow ftp access from my outside interface to the server on my inside interface:
static (inside,outside) 192.168.254.21 192.168.0.60 netmask 255.255.255.255
access-list in permit tcp any host 192.168.254.21 eq ftp
access-group in in interface outside
Now, I don't like restricting based on IP address, but I have noticed 2 or 3 IP addresses (that seem to be static) that are attacking my ftp server.
When I write my access-list 'deny' statement for those IP addresses, am I going to apply it to the outside interface or the inside interface; as I currently allow everyone to access my ftp server from my outside interface...
In what order are access-lists evaluated?
(I'm 40 something and some things are not sinking in as quickly as when I was 20 something)
Solved! Go to Solution.
03-24-2007 06:47 PM
Hi
You should apply it on the outside interface access-list. So
access-list in deny tcp host "bad ip address1" host 192.168.254.21 eq ftp
access-list in deny tcp host "bad ip address2" host 192.168.254.21 eq ftp
etc.. for bad ip addresses
access-list in permit tcp any host 192.168.254.1 eq ftp
Know what you mean about things taking longer to sink in :-)
HTH
Jon
03-24-2007 08:27 PM
The denies must be before the permit any or they won't do anything. It goes from the top down and stops at the first match.
03-24-2007 06:47 PM
Hi
You should apply it on the outside interface access-list. So
access-list in deny tcp host "bad ip address1" host 192.168.254.21 eq ftp
access-list in deny tcp host "bad ip address2" host 192.168.254.21 eq ftp
etc.. for bad ip addresses
access-list in permit tcp any host 192.168.254.1 eq ftp
Know what you mean about things taking longer to sink in :-)
HTH
Jon
03-24-2007 07:07 PM
I might be over complicating things, but, the ACL currently letting all ftp traffic in on my outside interface is already in place.
Do I need to first delete this rule, go back write my 'deny' ACLs, and then re-add my permit rule?
Or can I just add the deny rule(s) to my production PIX?
03-24-2007 08:27 PM
The denies must be before the permit any or they won't do anything. It goes from the top down and stops at the first match.
03-24-2007 08:53 PM
Nothing like your boss coming to you one day and saying, "Here's a PIX. Get it working by Monday."
You the man (or woman...or tech)acomiskey!
YOU and your help is always much appreciated!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide