Solved: PIX Access List Deny Statement Issues

rjrii · ‎07-30-2003

I have an ip from the internet that I want to deny access to my network, however, I am having issues with my access-list statement. Below is what I am trying, but it is not stopping his access. Any help is appreciated

access-list acl_outside deny tcp host 216.17.156.110 any (hitcnt=0)

access-list acl_outside deny tcp host 216.17.156.110 host 216.183.97.151 eq www (hitcnt=0)

access-list acl-outside deny udp host 216.17.156.110 any (hitcnt=0)

access-list acl-outside deny tcp host 216.17.156.110 any (hitcnt=0)

access-list acl-outside deny tcp host 216.17.156.110 eq www host 216.183.97.151 (hitcnt=0)

access-list acl-outside deny ip host 216.17.156.110 host 216.183.97.151 (hitcnt=0)

Where 216.17.156.110 is the host I want to block from my entire network or specifically 216.183.97.151

Also curious what direction the PIX reads the access-list from bottom to top assuming since the bottom is where the deny statments are?

gfullage · ‎07-30-2003

The PIX reads the ACL from top to bottom, exiting out when it sees the first match. If you have a permit above these lines that permits access from "any" then these lines at the bottom will never be seen.

Your best bet is to cut/paste your current ACL into a text file, add the following line TO THE TOP of the list, then remove the ACL from your PIX and cut/paste your new one back in.

> access-list acl_outside deny ip host 216.17.156.110 any

To get rid of your current ACL just do:

> no access-list acl_outside

then as I said, cut/paste your new one back in. Also make sure of your access-list name, half the access-list you've shown us in your post is called "acl_outside" (note the underscore) and half of them are "acl-outside" (note the dash). Make sure you check what access-list name is applied to the outside interface and match it up correctly.

View solution in original post

gfullage · ‎07-30-2003

The PIX reads the ACL from top to bottom, exiting out when it sees the first match. If you have a permit above these lines that permits access from "any" then these lines at the bottom will never be seen.

Your best bet is to cut/paste your current ACL into a text file, add the following line TO THE TOP of the list, then remove the ACL from your PIX and cut/paste your new one back in.

> access-list acl_outside deny ip host 216.17.156.110 any

To get rid of your current ACL just do:

> no access-list acl_outside

then as I said, cut/paste your new one back in. Also make sure of your access-list name, half the access-list you've shown us in your post is called "acl_outside" (note the underscore) and half of them are "acl-outside" (note the dash). Make sure you check what access-list name is applied to the outside interface and match it up correctly.

tvanginneken · ‎07-30-2003

Hi,

did you apply the access-list to the outside interface? To do this, use the access-group command:

"access-group acl-outside in interface outside"

Kind Regards,

Tom

wolfrikk · ‎08-07-2003

If you want to deny all traffic from that host I would add the following command.

access-list acl_outside deny ip host 216.17.156.110 any

That will deny all IP traffic, not just tcp and upd.