Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
387
Views
0
Helpful
4
Replies

Basic access-list question

Go to solution
srberg5219
Level 1
Level 1

‎03-24-2007 06:22 PM - edited ‎03-11-2019 02:51 AM

Forgive me for such a basic question...

I currently allow ftp access from my outside interface to the server on my inside interface:

static (inside,outside) 192.168.254.21 192.168.0.60 netmask 255.255.255.255

access-list in permit tcp any host 192.168.254.21 eq ftp

access-group in in interface outside

Now, I don't like restricting based on IP address, but I have noticed 2 or 3 IP addresses (that seem to be static) that are attacking my ftp server.

When I write my access-list 'deny' statement for those IP addresses, am I going to apply it to the outside interface or the inside interface; as I currently allow everyone to access my ftp server from my outside interface...

In what order are access-lists evaluated?

(I'm 40 something and some things are not sinking in as quickly as when I was 20 something)

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-24-2007 06:47 PM

Hi

You should apply it on the outside interface access-list. So

access-list in deny tcp host "bad ip address1" host 192.168.254.21 eq ftp

access-list in deny tcp host "bad ip address2" host 192.168.254.21 eq ftp

etc.. for bad ip addresses

access-list in permit tcp any host 192.168.254.1 eq ftp

Know what you mean about things taking longer to sink in :-)

HTH

Jon

View solution in original post

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to srberg5219

‎03-24-2007 08:27 PM

The denies must be before the permit any or they won't do anything. It goes from the top down and stops at the first match.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-24-2007 06:47 PM

Hi

You should apply it on the outside interface access-list. So

access-list in deny tcp host "bad ip address1" host 192.168.254.21 eq ftp

access-list in deny tcp host "bad ip address2" host 192.168.254.21 eq ftp

etc.. for bad ip addresses

access-list in permit tcp any host 192.168.254.1 eq ftp

Know what you mean about things taking longer to sink in :-)

HTH

Jon

0 Helpful

Go to solution
srberg5219
Level 1
Level 1
In response to Jon Marshall

‎03-24-2007 07:07 PM

I might be over complicating things, but, the ACL currently letting all ftp traffic in on my outside interface is already in place.

Do I need to first delete this rule, go back write my 'deny' ACLs, and then re-add my permit rule?

Or can I just add the deny rule(s) to my production PIX?

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to srberg5219

‎03-24-2007 08:27 PM

The denies must be before the permit any or they won't do anything. It goes from the top down and stops at the first match.

0 Helpful

Go to solution
srberg5219
Level 1
Level 1
In response to acomiskey

‎03-24-2007 08:53 PM

Nothing like your boss coming to you one day and saying, "Here's a PIX. Get it working by Monday."

You the man (or woman...or tech)acomiskey!

YOU and your help is always much appreciated!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card