PIX 515E to block ip of a subnet

Answered Question

I have a pix

515E and would like to block traffic of certin ip subnets.

I am receiving so many hits from there to my email server SMTP port.

i manually blocked ip


Ex.

125.110.102.86    ip's from china and creating spam on my mail server.

220.190.41.132


insted of each ip i want to block 125.110.0.0 and 220.190.0.0


how can i get this done ?

Correct Answer by Jon Marshall about 7 years 2 months ago

[email protected]


thanx for the response jon


i am not alot fimilier with pix but from the web interface (PDM) i added rule like this and its blocking traffic from that ip



access-list acl_out_to_in line 40 extended deny object-group DM_INLINE_SERVICE_1 host 125.110.102.86 any 0x960c8531
  access-list acl_out_to_in line 40 extended deny ip host 125.110.102.86 any (hitcnt=21650) 0x47f4e704
  access-list acl_out_to_in line 40 extended deny tcp host 125.110.102.86 any (hitcnt=0) 0xe6059313
  access-list acl_out_to_in line 40 extended deny tcp host 125.110.102.86 any eq smtp (hitcnt=0) 0x7e703e53




what i would like to do is block everything from the ip 125.110.102.0 - 125.110.102.255 all hosts. is it possible ?



access-list acl_out_to_in deny tcp 125.110.102.0 255.255.255.0 any eq smtp


note instead of "any" you could actually put the SMTP server address - it's public IP.


If you want to deny all IP


access-list acl_out_to_in deny ip 125.110.102.0 255.255.255.0 any


but be aware that this will stop all IP connections from that subnet to any of your IP addresses.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Tue, 01/19/2010 - 09:00
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

[email protected]


I have a pix

515E and would like to block traffic of certin ip subnets.

I am receiving so many hits from there to my email server SMTP port.

i manually blocked ip


Ex.

125.110.102.86    ip's from china and creating spam on my mail server.

220.190.41.132


insted of each ip i want to block 125.110.0.0 and 220.190.0.0


how can i get this done ?


Not sure what you are asking here.


If you are already blocking certain hosts eg.


access-list outside_in deny tcp host 125.110.102.86 host eq 25


then to block a subnet simply change the first bit of your acl ie.


access-list outside_in deny tcp 125.110.0.0 host eq 25


or have i misunderstood the requirement ?


Jon

thanx for the response jon


i am not alot fimilier with pix but from the web interface (PDM) i added rule like this and its blocking traffic from that ip



access-list acl_out_to_in line 40 extended deny object-group DM_INLINE_SERVICE_1 host 125.110.102.86 any 0x960c8531
  access-list acl_out_to_in line 40 extended deny ip host 125.110.102.86 any (hitcnt=21650) 0x47f4e704
  access-list acl_out_to_in line 40 extended deny tcp host 125.110.102.86 any (hitcnt=0) 0xe6059313
  access-list acl_out_to_in line 40 extended deny tcp host 125.110.102.86 any eq smtp (hitcnt=0) 0x7e703e53




what i would like to do is block everything from the ip 125.110.102.0 - 125.110.102.255 all hosts. is it possible ?

Correct Answer
Jon Marshall Tue, 01/19/2010 - 09:28
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

[email protected]


thanx for the response jon


i am not alot fimilier with pix but from the web interface (PDM) i added rule like this and its blocking traffic from that ip



access-list acl_out_to_in line 40 extended deny object-group DM_INLINE_SERVICE_1 host 125.110.102.86 any 0x960c8531
  access-list acl_out_to_in line 40 extended deny ip host 125.110.102.86 any (hitcnt=21650) 0x47f4e704
  access-list acl_out_to_in line 40 extended deny tcp host 125.110.102.86 any (hitcnt=0) 0xe6059313
  access-list acl_out_to_in line 40 extended deny tcp host 125.110.102.86 any eq smtp (hitcnt=0) 0x7e703e53




what i would like to do is block everything from the ip 125.110.102.0 - 125.110.102.255 all hosts. is it possible ?



access-list acl_out_to_in deny tcp 125.110.102.0 255.255.255.0 any eq smtp


note instead of "any" you could actually put the SMTP server address - it's public IP.


If you want to deny all IP


access-list acl_out_to_in deny ip 125.110.102.0 255.255.255.0 any


but be aware that this will stop all IP connections from that subnet to any of your IP addresses.


Jon

Actions

This Discussion