Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
828
Views
6
Helpful
3
Replies

PIX Access List Deny Statement Issues

Go to solution
rjrii
Level 1
Level 1

‎07-30-2003 08:09 PM - last edited on ‎02-21-2020 11:14 PM by Community Manager

I have an ip from the internet that I want to deny access to my network, however, I am having issues with my access-list statement. Below is what I am trying, but it is not stopping his access. Any help is appreciated

access-list acl_outside deny tcp host 216.17.156.110 any (hitcnt=0)

access-list acl_outside deny tcp host 216.17.156.110 host 216.183.97.151 eq www (hitcnt=0)

access-list acl-outside deny udp host 216.17.156.110 any (hitcnt=0)

access-list acl-outside deny tcp host 216.17.156.110 any (hitcnt=0)

access-list acl-outside deny tcp host 216.17.156.110 eq www host 216.183.97.151 (hitcnt=0)

access-list acl-outside deny ip host 216.17.156.110 host 216.183.97.151 (hitcnt=0)

Where 216.17.156.110 is the host I want to block from my entire network or specifically 216.183.97.151

Also curious what direction the PIX reads the access-list from bottom to top assuming since the bottom is where the deny statments are?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎07-30-2003 09:17 PM

The PIX reads the ACL from top to bottom, exiting out when it sees the first match. If you have a permit above these lines that permits access from "any" then these lines at the bottom will never be seen.

Your best bet is to cut/paste your current ACL into a text file, add the following line TO THE TOP of the list, then remove the ACL from your PIX and cut/paste your new one back in.

> access-list acl_outside deny ip host 216.17.156.110 any

To get rid of your current ACL just do:

> no access-list acl_outside

then as I said, cut/paste your new one back in. Also make sure of your access-list name, half the access-list you've shown us in your post is called "acl_outside" (note the underscore) and half of them are "acl-outside" (note the dash). Make sure you check what access-list name is applied to the outside interface and match it up correctly.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎07-30-2003 09:17 PM

The PIX reads the ACL from top to bottom, exiting out when it sees the first match. If you have a permit above these lines that permits access from "any" then these lines at the bottom will never be seen.

Your best bet is to cut/paste your current ACL into a text file, add the following line TO THE TOP of the list, then remove the ACL from your PIX and cut/paste your new one back in.

> access-list acl_outside deny ip host 216.17.156.110 any

To get rid of your current ACL just do:

> no access-list acl_outside

then as I said, cut/paste your new one back in. Also make sure of your access-list name, half the access-list you've shown us in your post is called "acl_outside" (note the underscore) and half of them are "acl-outside" (note the dash). Make sure you check what access-list name is applied to the outside interface and match it up correctly.

0 Helpful

Go to solution
tvanginneken
Level 4
Level 4

‎07-30-2003 11:19 PM

Hi,

did you apply the access-list to the outside interface? To do this, use the access-group command:

"access-group acl-outside in interface outside"

Kind Regards,

Tom

Go to solution
wolfrikk
Level 3
Level 3

‎08-07-2003 09:43 AM

If you want to deny all traffic from that host I would add the following command.

access-list acl_outside deny ip host 216.17.156.110 any

That will deny all IP traffic, not just tcp and upd.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card