PIX Access List Deny Statement Issues

Answered Question
Jul 30th, 2003
User Badges:

I have an ip from the internet that I want to deny access to my network, however, I am having issues with my access-list statement. Below is what I am trying, but it is not stopping his access. Any help is appreciated


access-list acl_outside deny tcp host 216.17.156.110 any (hitcnt=0)

access-list acl_outside deny tcp host 216.17.156.110 host 216.183.97.151 eq www (hitcnt=0)

access-list acl-outside deny udp host 216.17.156.110 any (hitcnt=0)

access-list acl-outside deny tcp host 216.17.156.110 any (hitcnt=0)

access-list acl-outside deny tcp host 216.17.156.110 eq www host 216.183.97.151 (hitcnt=0)

access-list acl-outside deny ip host 216.17.156.110 host 216.183.97.151 (hitcnt=0)


Where 216.17.156.110 is the host I want to block from my entire network or specifically 216.183.97.151



Also curious what direction the PIX reads the access-list from bottom to top assuming since the bottom is where the deny statments are?

Correct Answer by gfullage about 14 years 2 weeks ago

The PIX reads the ACL from top to bottom, exiting out when it sees the first match. If you have a permit above these lines that permits access from "any" then these lines at the bottom will never be seen.


Your best bet is to cut/paste your current ACL into a text file, add the following line TO THE TOP of the list, then remove the ACL from your PIX and cut/paste your new one back in.


> access-list acl_outside deny ip host 216.17.156.110 any


To get rid of your current ACL just do:


> no access-list acl_outside


then as I said, cut/paste your new one back in. Also make sure of your access-list name, half the access-list you've shown us in your post is called "acl_outside" (note the underscore) and half of them are "acl-outside" (note the dash). Make sure you check what access-list name is applied to the outside interface and match it up correctly.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.7 (3 ratings)
Loading.
Correct Answer
gfullage Wed, 07/30/2003 - 21:17
User Badges:
  • Cisco Employee,

The PIX reads the ACL from top to bottom, exiting out when it sees the first match. If you have a permit above these lines that permits access from "any" then these lines at the bottom will never be seen.


Your best bet is to cut/paste your current ACL into a text file, add the following line TO THE TOP of the list, then remove the ACL from your PIX and cut/paste your new one back in.


> access-list acl_outside deny ip host 216.17.156.110 any


To get rid of your current ACL just do:


> no access-list acl_outside


then as I said, cut/paste your new one back in. Also make sure of your access-list name, half the access-list you've shown us in your post is called "acl_outside" (note the underscore) and half of them are "acl-outside" (note the dash). Make sure you check what access-list name is applied to the outside interface and match it up correctly.

tvanginneken Wed, 07/30/2003 - 23:19
User Badges:
  • Silver, 250 points or more

Hi,


did you apply the access-list to the outside interface? To do this, use the access-group command:


"access-group acl-outside in interface outside"


Kind Regards,

Tom

wolfrikk Thu, 08/07/2003 - 09:43
User Badges:

If you want to deny all traffic from that host I would add the following command.


access-list acl_outside deny ip host 216.17.156.110 any


That will deny all IP traffic, not just tcp and upd.

Actions

This Discussion