https://community.cisco.com/t5/network-security/pix-501-access-list-deny-not-working/m-p/753271#M1006953 <HTML><HEAD></HEAD><BODY><P>access-list joe deny tcp host 12.164.17.130 host 63.xxx.xxx.xxx</P><P>access-list joe permit tcp any host 63.xxx.xxx.xxx eq ftp </P><P>access-list joe permit tcp any host 63.xxx.xxx.xxx eq ftp </P><P>access-list joe permit tcp any host 63.xxx.xxx.xxx gt 60000 </P><P>access-list joe permit tcp any host 63.xxx.xxx.xxx gt 60000 </P><P>access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1953 </P><P>access-list joe permit tcp any host 63.xxx.xxx.xxx range 65438 65441 </P><P>access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1954 </P><P>access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1953 </P><P>access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1954 </P><P>access-list joe permit tcp any host 63.xxx.xxx.xxx gt 60000 </P><P>access-list joe permit tcp any host 63.xxx.xxx.xxx eq ftp </P><P>access-list joe permit tcp any host 63.xxx.xxx.xxx eq pcanywhere-data </P><P>access-list joe permit tcp any host 63.xxx.xxx.xxx eq 5632 </P><P>access-list joe permit tcp any host 63.xxx.xxx.xxx eq ftp </P><P>access-list joe permit tcp any host 63.xxx.xxx.xxx eq www </P><P>access-list joe permit tcp any host 63.xxx.xxx.xxx eq https </P><P>access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1953 </P><P>access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1954 </P><P>access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1953 </P><P>access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1954 </P></BODY></HTML> Tue, 17 Apr 2007 18:35:25 GMT r.mazzella 2007-04-17T18:35:25Z https://community.cisco.com/t5/network-security/pix-501-access-list-deny-not-working/m-p/753263#M1006943 <P>There is someone trying to get access to my FTP server causing slowdowns and event log errors. I have added his IP to my access list deny to that server and he is still able to access the server. What did I do wrong if anything?</P><P></P><P>access-list joe deny tcp host 12.164.17.130 host 63.xxx.xxx.xxx</P> Mon, 11 Mar 2019 10:01:14 GMT https://community.cisco.com/t5/network-security/pix-501-access-list-deny-not-working/m-p/753263#M1006943 r.mazzella 2019-03-11T10:01:14Z https://community.cisco.com/t5/network-security/pix-501-access-list-deny-not-working/m-p/753264#M1006944 <HTML><HEAD></HEAD><BODY><P>Is the acl applied or is there a permit before the deny?</P></BODY></HTML> Tue, 17 Apr 2007 18:22:09 GMT https://community.cisco.com/t5/network-security/pix-501-access-list-deny-not-working/m-p/753264#M1006944 acomiskey 2007-04-17T18:22:09Z https://community.cisco.com/t5/network-security/pix-501-access-list-deny-not-working/m-p/753265#M1006945 <HTML><HEAD></HEAD><BODY><P>A couple of questions:</P><P></P><P>Is the access list applied to the outside interface?</P><P></P><P>Is there a permit statement further up in the access list?</P><P></P><P>Are the counters increasing on the line?</P><P></P><P></P><P></P></BODY></HTML> Tue, 17 Apr 2007 18:22:19 GMT https://community.cisco.com/t5/network-security/pix-501-access-list-deny-not-working/m-p/753265#M1006945 mark.hodge 2007-04-17T18:22:19Z https://community.cisco.com/t5/network-security/pix-501-access-list-deny-not-working/m-p/753266#M1006946 <HTML><HEAD></HEAD><BODY><P>You need to apply this access list to an interface (most likely the outside in your case)using the access-group command. Here is an example:</P><P></P><P>access-group joe in interface outside</P><P></P><P>Please rate if this helps.</P><P></P><P>Jay</P></BODY></HTML> Tue, 17 Apr 2007 18:23:38 GMT https://community.cisco.com/t5/network-security/pix-501-access-list-deny-not-working/m-p/753266#M1006946 jwalker 2007-04-17T18:23:38Z https://community.cisco.com/t5/network-security/pix-501-access-list-deny-not-working/m-p/753267#M1006949 <HTML><HEAD></HEAD><BODY><P>the acl is aplied and there is a permit after the deny. I tried both way and the little S.O.B is still getting access.</P><P></P><P></P></BODY></HTML> Tue, 17 Apr 2007 18:25:11 GMT https://community.cisco.com/t5/network-security/pix-501-access-list-deny-not-working/m-p/753267#M1006949 r.mazzella 2007-04-17T18:25:11Z https://community.cisco.com/t5/network-security/pix-501-access-list-deny-not-working/m-p/753268#M1006950 <HTML><HEAD></HEAD><BODY><P>Either that is not the correct source address or something else is wrong, post up the whole acl.</P></BODY></HTML> Tue, 17 Apr 2007 18:26:36 GMT https://community.cisco.com/t5/network-security/pix-501-access-list-deny-not-working/m-p/753268#M1006950 acomiskey 2007-04-17T18:26:36Z https://community.cisco.com/t5/network-security/pix-501-access-list-deny-not-working/m-p/753269#M1006951 <HTML><HEAD></HEAD><BODY><P>that is exactly what I have in already</P></BODY></HTML> Tue, 17 Apr 2007 18:29:30 GMT https://community.cisco.com/t5/network-security/pix-501-access-list-deny-not-working/m-p/753269#M1006951 r.mazzella 2007-04-17T18:29:30Z https://community.cisco.com/t5/network-security/pix-501-access-list-deny-not-working/m-p/753270#M1006952 <HTML><HEAD></HEAD><BODY><P>You can verify you have the correct "attacking IP" using the following method..</P><P></P><P>1. Create an access list to look for traffic to your FTP server</P><P></P><P>access-list cap1 extended permit tcp any host 63.1.1.1 eq ftp</P><P></P><P>2. Create a capture to look for traffic using your access list</P><P></P><P>capture cap1 access-list cap1 interface outside</P><P></P><P>3. View capture </P><P></P><P>show capure cap1</P></BODY></HTML> Tue, 17 Apr 2007 18:33:27 GMT https://community.cisco.com/t5/network-security/pix-501-access-list-deny-not-working/m-p/753270#M1006952 jwalker 2007-04-17T18:33:27Z https://community.cisco.com/t5/network-security/pix-501-access-list-deny-not-working/m-p/753271#M1006953 <HTML><HEAD></HEAD><BODY><P>access-list joe deny tcp host 12.164.17.130 host 63.xxx.xxx.xxx</P><P>access-list joe permit tcp any host 63.xxx.xxx.xxx eq ftp </P><P>access-list joe permit tcp any host 63.xxx.xxx.xxx eq ftp </P><P>access-list joe permit tcp any host 63.xxx.xxx.xxx gt 60000 </P><P>access-list joe permit tcp any host 63.xxx.xxx.xxx gt 60000 </P><P>access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1953 </P><P>access-list joe permit tcp any host 63.xxx.xxx.xxx range 65438 65441 </P><P>access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1954 </P><P>access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1953 </P><P>access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1954 </P><P>access-list joe permit tcp any host 63.xxx.xxx.xxx gt 60000 </P><P>access-list joe permit tcp any host 63.xxx.xxx.xxx eq ftp </P><P>access-list joe permit tcp any host 63.xxx.xxx.xxx eq pcanywhere-data </P><P>access-list joe permit tcp any host 63.xxx.xxx.xxx eq 5632 </P><P>access-list joe permit tcp any host 63.xxx.xxx.xxx eq ftp </P><P>access-list joe permit tcp any host 63.xxx.xxx.xxx eq www </P><P>access-list joe permit tcp any host 63.xxx.xxx.xxx eq https </P><P>access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1953 </P><P>access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1954 </P><P>access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1953 </P><P>access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1954 </P></BODY></HTML> Tue, 17 Apr 2007 18:35:25 GMT https://community.cisco.com/t5/network-security/pix-501-access-list-deny-not-working/m-p/753271#M1006953 r.mazzella 2007-04-17T18:35:25Z https://community.cisco.com/t5/network-security/pix-501-access-list-deny-not-working/m-p/753272#M1006955 <HTML><HEAD></HEAD><BODY><P>it comes up in my ftp logfile.</P></BODY></HTML> Tue, 17 Apr 2007 18:37:21 GMT https://community.cisco.com/t5/network-security/pix-501-access-list-deny-not-working/m-p/753272#M1006955 r.mazzella 2007-04-17T18:37:21Z https://community.cisco.com/t5/network-security/pix-501-access-list-deny-not-working/m-p/753273#M1006957 <HTML><HEAD></HEAD><BODY><P>never done a capture before. I would need assistance.</P></BODY></HTML> Tue, 17 Apr 2007 18:38:02 GMT https://community.cisco.com/t5/network-security/pix-501-access-list-deny-not-working/m-p/753273#M1006957 r.mazzella 2007-04-17T18:38:02Z https://community.cisco.com/t5/network-security/pix-501-access-list-deny-not-working/m-p/753274#M1006960 <HTML><HEAD></HEAD><BODY><P>Do a show access-list joe. Do you have any hits on your deny line? If not then you have the wrong source address or this is not the source of your problem. Is that the entire acl?</P></BODY></HTML> Tue, 17 Apr 2007 18:50:57 GMT https://community.cisco.com/t5/network-security/pix-501-access-list-deny-not-working/m-p/753274#M1006960 acomiskey 2007-04-17T18:50:57Z https://community.cisco.com/t5/network-security/pix-501-access-list-deny-not-working/m-p/753275#M1006961 <HTML><HEAD></HEAD><BODY><P>I guess it is possible that the attacker already has an open connection, and therfore the access list only gets checked on setup.</P><P></P><P>run "sh conn" and "sh xlate" and check.</P><P></P><P>You could run "clear xlate" but this would cause an interupt for all users.</P></BODY></HTML> Tue, 17 Apr 2007 19:09:19 GMT https://community.cisco.com/t5/network-security/pix-501-access-list-deny-not-working/m-p/753275#M1006961 mark.hodge 2007-04-17T19:09:19Z https://community.cisco.com/t5/network-security/pix-501-access-list-deny-not-working/m-p/753276#M1006962 <HTML><HEAD></HEAD><BODY><P>well try this </P><P></P><P>"shun 12.164.17.130" remember shun command cannot be saved therefore they will not be there after a reload</P><P></P><P>very rarely on 6.x code (501s only run 6.X and down) i've seen commands that just do take effect ... sometimes you have to take it out and reapply it ... try that ..</P><P></P><P></P></BODY></HTML> Wed, 18 Apr 2007 19:10:31 GMT https://community.cisco.com/t5/network-security/pix-501-access-list-deny-not-working/m-p/753276#M1006962 bahoosh 2007-04-18T19:10:31Z