I have an ip from the internet that I want to deny access to my network, however, I am having issues with my access-list statement. Below is what I am trying, but it is not stopping his access. Any help is appreciated
access-list acl_outside deny tcp host 22.214.171.124 any (hitcnt=0)
access-list acl_outside deny tcp host 126.96.36.199 host 188.8.131.52 eq www (hitcnt=0)
access-list acl-outside deny udp host 184.108.40.206 any (hitcnt=0)
access-list acl-outside deny tcp host 220.127.116.11 any (hitcnt=0)
access-list acl-outside deny tcp host 18.104.22.168 eq www host 22.214.171.124 (hitcnt=0)
access-list acl-outside deny ip host 126.96.36.199 host 188.8.131.52 (hitcnt=0)
Where 184.108.40.206 is the host I want to block from my entire network or specifically 220.127.116.11
Also curious what direction the PIX reads the access-list from bottom to top assuming since the bottom is where the deny statments are?
The PIX reads the ACL from top to bottom, exiting out when it sees the first match. If you have a permit above these lines that permits access from "any" then these lines at the bottom will never be seen.
Your best bet is to cut/paste your current ACL into a text file, add the following line TO THE TOP of the list, then remove the ACL from your PIX and cut/paste your new one back in.
> access-list acl_outside deny ip host 18.104.22.168 any
To get rid of your current ACL just do:
> no access-list acl_outside
then as I said, cut/paste your new one back in. Also make sure of your access-list name, half the access-list you've shown us in your post is called "acl_outside" (note the underscore) and half of them are "acl-outside" (note the dash). Make sure you check what access-list name is applied to the outside interface and match it up correctly.