PIX 501 access-list deny not working

Unanswered Question
Apr 17th, 2007
User Badges:

There is someone trying to get access to my FTP server causing slowdowns and event log errors. I have added his IP to my access list deny to that server and he is still able to access the server. What did I do wrong if anything?


access-list joe deny tcp host 12.164.17.130 host 63.xxx.xxx.xxx

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Tue, 04/17/2007 - 11:22
User Badges:
  • Green, 3000 points or more

Is the acl applied or is there a permit before the deny?

r.mazzella Tue, 04/17/2007 - 11:25
User Badges:

the acl is aplied and there is a permit after the deny. I tried both way and the little S.O.B is still getting access.



acomiskey Tue, 04/17/2007 - 11:26
User Badges:
  • Green, 3000 points or more

Either that is not the correct source address or something else is wrong, post up the whole acl.

r.mazzella Tue, 04/17/2007 - 11:35
User Badges:

access-list joe deny tcp host 12.164.17.130 host 63.xxx.xxx.xxx

access-list joe permit tcp any host 63.xxx.xxx.xxx eq ftp

access-list joe permit tcp any host 63.xxx.xxx.xxx eq ftp

access-list joe permit tcp any host 63.xxx.xxx.xxx gt 60000

access-list joe permit tcp any host 63.xxx.xxx.xxx gt 60000

access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1953

access-list joe permit tcp any host 63.xxx.xxx.xxx range 65438 65441

access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1954

access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1953

access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1954

access-list joe permit tcp any host 63.xxx.xxx.xxx gt 60000

access-list joe permit tcp any host 63.xxx.xxx.xxx eq ftp

access-list joe permit tcp any host 63.xxx.xxx.xxx eq pcanywhere-data

access-list joe permit tcp any host 63.xxx.xxx.xxx eq 5632

access-list joe permit tcp any host 63.xxx.xxx.xxx eq ftp

access-list joe permit tcp any host 63.xxx.xxx.xxx eq www

access-list joe permit tcp any host 63.xxx.xxx.xxx eq https

access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1953

access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1954

access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1953

access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1954

acomiskey Tue, 04/17/2007 - 11:50
User Badges:
  • Green, 3000 points or more

Do a show access-list joe. Do you have any hits on your deny line? If not then you have the wrong source address or this is not the source of your problem. Is that the entire acl?

mark.hodge Tue, 04/17/2007 - 11:22
User Badges:

A couple of questions:


Is the access list applied to the outside interface?


Is there a permit statement further up in the access list?


Are the counters increasing on the line?




You can verify you have the correct "attacking IP" using the following method..


1. Create an access list to look for traffic to your FTP server


access-list cap1 extended permit tcp any host 63.1.1.1 eq ftp


2. Create a capture to look for traffic using your access list


capture cap1 access-list cap1 interface outside


3. View capture


show capure cap1

mark.hodge Tue, 04/17/2007 - 12:09
User Badges:

I guess it is possible that the attacker already has an open connection, and therfore the access list only gets checked on setup.


run "sh conn" and "sh xlate" and check.


You could run "clear xlate" but this would cause an interupt for all users.

r.mazzella Tue, 04/17/2007 - 11:38
User Badges:

never done a capture before. I would need assistance.

bahoosh Wed, 04/18/2007 - 12:10
User Badges:

well try this


"shun 12.164.17.130" remember shun command cannot be saved therefore they will not be there after a reload


very rarely on 6.x code (501s only run 6.X and down) i've seen commands that just do take effect ... sometimes you have to take it out and reapply it ... try that ..



Actions

This Discussion