PIX 501 access-list deny not working - Cisco Community

1046

Views

0

Helpful

13

Replies

There is someone trying to get access to my FTP server causing slowdowns and event log errors. I have added his IP to my access list deny to that server and he is still able to access the server. What did I do wrong if anything?

access-list joe deny tcp host 12.164.17.130 host 63.xxx.xxx.xxx

13 Replies 13

Is the acl applied or is there a permit before the deny?

the acl is aplied and there is a permit after the deny. I tried both way and the little S.O.B is still getting access.

Either that is not the correct source address or something else is wrong, post up the whole acl.

access-list joe deny tcp host 12.164.17.130 host 63.xxx.xxx.xxx

access-list joe permit tcp any host 63.xxx.xxx.xxx eq ftp

access-list joe permit tcp any host 63.xxx.xxx.xxx eq ftp

access-list joe permit tcp any host 63.xxx.xxx.xxx gt 60000

access-list joe permit tcp any host 63.xxx.xxx.xxx gt 60000

access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1953

access-list joe permit tcp any host 63.xxx.xxx.xxx range 65438 65441

access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1954

access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1953

access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1954

access-list joe permit tcp any host 63.xxx.xxx.xxx gt 60000

access-list joe permit tcp any host 63.xxx.xxx.xxx eq ftp

access-list joe permit tcp any host 63.xxx.xxx.xxx eq pcanywhere-data

access-list joe permit tcp any host 63.xxx.xxx.xxx eq 5632

access-list joe permit tcp any host 63.xxx.xxx.xxx eq ftp

access-list joe permit tcp any host 63.xxx.xxx.xxx eq www

access-list joe permit tcp any host 63.xxx.xxx.xxx eq https

access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1953

access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1954

access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1953

access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1954

Do a show access-list joe. Do you have any hits on your deny line? If not then you have the wrong source address or this is not the source of your problem. Is that the entire acl?

A couple of questions:

Is the access list applied to the outside interface?

Is there a permit statement further up in the access list?

Are the counters increasing on the line?

You need to apply this access list to an interface (most likely the outside in your case)using the access-group command. Here is an example:

access-group joe in interface outside

Please rate if this helps.

Jay

that is exactly what I have in already

You can verify you have the correct "attacking IP" using the following method..

1. Create an access list to look for traffic to your FTP server

access-list cap1 extended permit tcp any host 63.1.1.1 eq ftp

2. Create a capture to look for traffic using your access list

capture cap1 access-list cap1 interface outside

3. View capture

show capure cap1

it comes up in my ftp logfile.

I guess it is possible that the attacker already has an open connection, and therfore the access list only gets checked on setup.

run "sh conn" and "sh xlate" and check.

You could run "clear xlate" but this would cause an interupt for all users.

never done a capture before. I would need assistance.

well try this

"shun 12.164.17.130" remember shun command cannot be saved therefore they will not be there after a reload

very rarely on 6.x code (501s only run 6.X and down) i've seen commands that just do take effect ... sometimes you have to take it out and reapply it ... try that ..

Review Cisco Networking products for a $25 gift card