Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Basic access-list question

Forgive me for such a basic question...

I currently allow ftp access from my outside interface to the server on my inside interface:

static (inside,outside) 192.168.254.21 192.168.0.60 netmask 255.255.255.255

access-list in permit tcp any host 192.168.254.21 eq ftp

access-group in in interface outside

Now, I don't like restricting based on IP address, but I have noticed 2 or 3 IP addresses (that seem to be static) that are attacking my ftp server.

When I write my access-list 'deny' statement for those IP addresses, am I going to apply it to the outside interface or the inside interface; as I currently allow everyone to access my ftp server from my outside interface...

In what order are access-lists evaluated?

(I'm 40 something and some things are not sinking in as quickly as when I was 20 something)

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Blue

Re: Basic access-list question

Hi

You should apply it on the outside interface access-list. So

access-list in deny tcp host "bad ip address1" host 192.168.254.21 eq ftp

access-list in deny tcp host "bad ip address2" host 192.168.254.21 eq ftp

etc.. for bad ip addresses

access-list in permit tcp any host 192.168.254.1 eq ftp

Know what you mean about things taking longer to sink in :-)

HTH

Jon

Green

Re: Basic access-list question

The denies must be before the permit any or they won't do anything. It goes from the top down and stops at the first match.

4 REPLIES
Hall of Fame Super Blue

Re: Basic access-list question

Hi

You should apply it on the outside interface access-list. So

access-list in deny tcp host "bad ip address1" host 192.168.254.21 eq ftp

access-list in deny tcp host "bad ip address2" host 192.168.254.21 eq ftp

etc.. for bad ip addresses

access-list in permit tcp any host 192.168.254.1 eq ftp

Know what you mean about things taking longer to sink in :-)

HTH

Jon

New Member

Re: Basic access-list question

I might be over complicating things, but, the ACL currently letting all ftp traffic in on my outside interface is already in place.

Do I need to first delete this rule, go back write my 'deny' ACLs, and then re-add my permit rule?

Or can I just add the deny rule(s) to my production PIX?

Green

Re: Basic access-list question

The denies must be before the permit any or they won't do anything. It goes from the top down and stops at the first match.

New Member

Re: Basic access-list question

Nothing like your boss coming to you one day and saying, "Here's a PIX. Get it working by Monday."

You the man (or woman...or tech)acomiskey!

YOU and your help is always much appreciated!

136
Views
0
Helpful
4
Replies
CreatePlease to create content