Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

problem with acl

Hello.

I have a question about the functionality of the access-list, I tried to blocking some range of internets addresses with acl, but it doesn´t work, I don´t know if I am right about the sintax (I think I do), my acl is the following:

access-list externa deny ip 213.248.112.0 255.255.255.0 any

then I applied to the outside interface with the command:

access-group externa in interface outside

but this addresses still gaining access to my LAN.

What can I do?

thanks.

6 REPLIES
New Member

Re: problem with acl

something does not look right. Is that the entire ACL? There is an implicit deny at the end of all ACL's, so that ACL should block all traffic coming in since there is no permit statements.

New Member

Re: problem with acl

Depending on your config, you may need to use local/remote -

access-list externa deny ip any 213.248.112.0 255.255.255.0

~rls

New Member

Re: problem with acl

Is this the only ACL applied on your outside interface ? ACL are processed in order in witch they appear on your config.

So if you have a config that look's like this:

access-list externa permit ip 213.0.0.0 255.0.0.0 any

access-list externa deny ip 213.248.112.0 255.255.255.0 any

access-group externa in interface outside

The 2nd ACL will never be processed.

It is also a good practice to do a 'clear xlate' command after changing an ACL, but in this case it wouldn't be necessary..

Mike

Silver

Re: problem with acl

If the traffic you're trying to block on the outside interface was initiated on an interface with higher security, inside for example, then denies in the outside ACL with have no affect. The Pix uses stateful inspection to determine what to let in. If the session started on the inside, it will always let it back in the other interfaces. To stop traffic of this type, deny the traffic with an ACL on the interface where the traffic started.

If the traffic isn't iniated in the inside, repost your ACL entries and access-group commands for further investigation.

New Member

Re: problem with acl

I am new to Cisco, but if the network range you are trying to block is:

213.248.112.0

then shouldn't the netmask be:

0.0.0.255

Please do correct me if I am wrong.

Silver

Re: problem with acl

That's incorrect. What you're referring to is a wild card mask and not a subnet mask. The pix uses subnet masks while routers uses wild card masks like you stated..

103
Views
3
Helpful
6
Replies
CreatePlease to create content