07-30-2003
08:09 PM
- last edited on
02-21-2020
11:14 PM
by
cc_security_adm
I have an ip from the internet that I want to deny access to my network, however, I am having issues with my access-list statement. Below is what I am trying, but it is not stopping his access. Any help is appreciated
access-list acl_outside deny tcp host 216.17.156.110 any (hitcnt=0)
access-list acl_outside deny tcp host 216.17.156.110 host 216.183.97.151 eq www (hitcnt=0)
access-list acl-outside deny udp host 216.17.156.110 any (hitcnt=0)
access-list acl-outside deny tcp host 216.17.156.110 any (hitcnt=0)
access-list acl-outside deny tcp host 216.17.156.110 eq www host 216.183.97.151 (hitcnt=0)
access-list acl-outside deny ip host 216.17.156.110 host 216.183.97.151 (hitcnt=0)
Where 216.17.156.110 is the host I want to block from my entire network or specifically 216.183.97.151
Also curious what direction the PIX reads the access-list from bottom to top assuming since the bottom is where the deny statments are?
Solved! Go to Solution.
07-30-2003 09:17 PM
The PIX reads the ACL from top to bottom, exiting out when it sees the first match. If you have a permit above these lines that permits access from "any" then these lines at the bottom will never be seen.
Your best bet is to cut/paste your current ACL into a text file, add the following line TO THE TOP of the list, then remove the ACL from your PIX and cut/paste your new one back in.
> access-list acl_outside deny ip host 216.17.156.110 any
To get rid of your current ACL just do:
> no access-list acl_outside
then as I said, cut/paste your new one back in. Also make sure of your access-list name, half the access-list you've shown us in your post is called "acl_outside" (note the underscore) and half of them are "acl-outside" (note the dash). Make sure you check what access-list name is applied to the outside interface and match it up correctly.
07-30-2003 09:17 PM
The PIX reads the ACL from top to bottom, exiting out when it sees the first match. If you have a permit above these lines that permits access from "any" then these lines at the bottom will never be seen.
Your best bet is to cut/paste your current ACL into a text file, add the following line TO THE TOP of the list, then remove the ACL from your PIX and cut/paste your new one back in.
> access-list acl_outside deny ip host 216.17.156.110 any
To get rid of your current ACL just do:
> no access-list acl_outside
then as I said, cut/paste your new one back in. Also make sure of your access-list name, half the access-list you've shown us in your post is called "acl_outside" (note the underscore) and half of them are "acl-outside" (note the dash). Make sure you check what access-list name is applied to the outside interface and match it up correctly.
07-30-2003 11:19 PM
Hi,
did you apply the access-list to the outside interface? To do this, use the access-group command:
"access-group acl-outside in interface outside"
Kind Regards,
Tom
08-07-2003 09:43 AM
If you want to deny all traffic from that host I would add the following command.
access-list acl_outside deny ip host 216.17.156.110 any
That will deny all IP traffic, not just tcp and upd.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: