cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2277
Views
0
Helpful
4
Replies

PIX 515E to block ip of a subnet

bhavesh20
Level 1
Level 1

I have a pix

515E and would like to block traffic of certin ip subnets.

I am receiving so many hits from there to my email server SMTP port.

i manually blocked ip

Ex.

125.110.102.86    ip's from china and creating spam on my mail server.

220.190.41.132

insted of each ip i want to block 125.110.0.0 and 220.190.0.0

how can i get this done ?

1 Accepted Solution

Accepted Solutions

bhavesh20@yahoo.com

thanx for the response jon

i am not alot fimilier with pix but from the web interface (PDM) i added rule like this and its blocking traffic from that ip

access-list acl_out_to_in line 40 extended deny object-group DM_INLINE_SERVICE_1 host 125.110.102.86 any 0x960c8531
  access-list acl_out_to_in line 40 extended deny ip host 125.110.102.86 any (hitcnt=21650) 0x47f4e704
  access-list acl_out_to_in line 40 extended deny tcp host 125.110.102.86 any (hitcnt=0) 0xe6059313
  access-list acl_out_to_in line 40 extended deny tcp host 125.110.102.86 any eq smtp (hitcnt=0) 0x7e703e53

what i would like to do is block everything from the ip 125.110.102.0 - 125.110.102.255 all hosts. is it possible ?


access-list acl_out_to_in deny tcp 125.110.102.0 255.255.255.0 any eq smtp

note instead of "any" you could actually put the SMTP server address - it's public IP.

If you want to deny all IP

access-list acl_out_to_in deny ip 125.110.102.0 255.255.255.0 any

but be aware that this will stop all IP connections from that subnet to any of your IP addresses.

Jon

View solution in original post

4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

bhavesh20@yahoo.com

I have a pix

515E and would like to block traffic of certin ip subnets.

I am receiving so many hits from there to my email server SMTP port.

i manually blocked ip

Ex.

125.110.102.86    ip's from china and creating spam on my mail server.

220.190.41.132

insted of each ip i want to block 125.110.0.0 and 220.190.0.0

how can i get this done ?

Not sure what you are asking here.

If you are already blocking certain hosts eg.

access-list outside_in deny tcp host 125.110.102.86 host eq 25

then to block a subnet simply change the first bit of your acl ie.

access-list outside_in deny tcp 125.110.0.0 host eq 25

or have i misunderstood the requirement ?

Jon

thanx for the response jon

i am not alot fimilier with pix but from the web interface (PDM) i added rule like this and its blocking traffic from that ip

access-list acl_out_to_in line 40 extended deny object-group DM_INLINE_SERVICE_1 host 125.110.102.86 any 0x960c8531
  access-list acl_out_to_in line 40 extended deny ip host 125.110.102.86 any (hitcnt=21650) 0x47f4e704
  access-list acl_out_to_in line 40 extended deny tcp host 125.110.102.86 any (hitcnt=0) 0xe6059313
  access-list acl_out_to_in line 40 extended deny tcp host 125.110.102.86 any eq smtp (hitcnt=0) 0x7e703e53

what i would like to do is block everything from the ip 125.110.102.0 - 125.110.102.255 all hosts. is it possible ?

bhavesh20@yahoo.com

thanx for the response jon

i am not alot fimilier with pix but from the web interface (PDM) i added rule like this and its blocking traffic from that ip

access-list acl_out_to_in line 40 extended deny object-group DM_INLINE_SERVICE_1 host 125.110.102.86 any 0x960c8531
  access-list acl_out_to_in line 40 extended deny ip host 125.110.102.86 any (hitcnt=21650) 0x47f4e704
  access-list acl_out_to_in line 40 extended deny tcp host 125.110.102.86 any (hitcnt=0) 0xe6059313
  access-list acl_out_to_in line 40 extended deny tcp host 125.110.102.86 any eq smtp (hitcnt=0) 0x7e703e53

what i would like to do is block everything from the ip 125.110.102.0 - 125.110.102.255 all hosts. is it possible ?


access-list acl_out_to_in deny tcp 125.110.102.0 255.255.255.0 any eq smtp

note instead of "any" you could actually put the SMTP server address - it's public IP.

If you want to deny all IP

access-list acl_out_to_in deny ip 125.110.102.0 255.255.255.0 any

but be aware that this will stop all IP connections from that subnet to any of your IP addresses.

Jon

Isn't the order as to where you put deny statements of importance?

 

Also, how would I add a conduit line at the very top of the list, so that it is in the correct order?

 

Here is an example that will NOT block these IPs, as it is on the bottom of the 'permit" list:

 

conduit permit tcp host 12.43.x.xx eq ssh any
conduit permit tcp host 12.43.x.xx eq ftp any
conduit deny tcp host 212.70.149.82 any
conduit deny tcp host 212.70.149.51 any
conduit deny tcp any any
conduit deny udp any any

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: