Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 501 access-list deny not working

There is someone trying to get access to my FTP server causing slowdowns and event log errors. I have added his IP to my access list deny to that server and he is still able to access the server. What did I do wrong if anything?

access-list joe deny tcp host 12.164.17.130 host 63.xxx.xxx.xxx

13 REPLIES
Green

Re: PIX 501 access-list deny not working

Is the acl applied or is there a permit before the deny?

New Member

Re: PIX 501 access-list deny not working

the acl is aplied and there is a permit after the deny. I tried both way and the little S.O.B is still getting access.

Green

Re: PIX 501 access-list deny not working

Either that is not the correct source address or something else is wrong, post up the whole acl.

New Member

Re: PIX 501 access-list deny not working

access-list joe deny tcp host 12.164.17.130 host 63.xxx.xxx.xxx

access-list joe permit tcp any host 63.xxx.xxx.xxx eq ftp

access-list joe permit tcp any host 63.xxx.xxx.xxx eq ftp

access-list joe permit tcp any host 63.xxx.xxx.xxx gt 60000

access-list joe permit tcp any host 63.xxx.xxx.xxx gt 60000

access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1953

access-list joe permit tcp any host 63.xxx.xxx.xxx range 65438 65441

access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1954

access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1953

access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1954

access-list joe permit tcp any host 63.xxx.xxx.xxx gt 60000

access-list joe permit tcp any host 63.xxx.xxx.xxx eq ftp

access-list joe permit tcp any host 63.xxx.xxx.xxx eq pcanywhere-data

access-list joe permit tcp any host 63.xxx.xxx.xxx eq 5632

access-list joe permit tcp any host 63.xxx.xxx.xxx eq ftp

access-list joe permit tcp any host 63.xxx.xxx.xxx eq www

access-list joe permit tcp any host 63.xxx.xxx.xxx eq https

access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1953

access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1954

access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1953

access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1954

Green

Re: PIX 501 access-list deny not working

Do a show access-list joe. Do you have any hits on your deny line? If not then you have the wrong source address or this is not the source of your problem. Is that the entire acl?

New Member

Re: PIX 501 access-list deny not working

A couple of questions:

Is the access list applied to the outside interface?

Is there a permit statement further up in the access list?

Are the counters increasing on the line?

Silver

Re: PIX 501 access-list deny not working

You need to apply this access list to an interface (most likely the outside in your case)using the access-group command. Here is an example:

access-group joe in interface outside

Please rate if this helps.

Jay

New Member

Re: PIX 501 access-list deny not working

that is exactly what I have in already

Silver

Re: PIX 501 access-list deny not working

You can verify you have the correct "attacking IP" using the following method..

1. Create an access list to look for traffic to your FTP server

access-list cap1 extended permit tcp any host 63.1.1.1 eq ftp

2. Create a capture to look for traffic using your access list

capture cap1 access-list cap1 interface outside

3. View capture

show capure cap1

New Member

Re: PIX 501 access-list deny not working

it comes up in my ftp logfile.

New Member

Re: PIX 501 access-list deny not working

I guess it is possible that the attacker already has an open connection, and therfore the access list only gets checked on setup.

run "sh conn" and "sh xlate" and check.

You could run "clear xlate" but this would cause an interupt for all users.

New Member

Re: PIX 501 access-list deny not working

never done a capture before. I would need assistance.

New Member

Re: PIX 501 access-list deny not working

well try this

"shun 12.164.17.130" remember shun command cannot be saved therefore they will not be there after a reload

very rarely on 6.x code (501s only run 6.X and down) i've seen commands that just do take effect ... sometimes you have to take it out and reapply it ... try that ..

516
Views
0
Helpful
13
Replies
CreatePlease login to create content