https://community.cisco.com/t5/network-security/pix-access-list-deny-statement-issues/m-p/206151#M615505 <P>I have an ip from the internet that I want to deny access to my network, however, I am having issues with my access-list statement. Below is what I am trying, but it is not stopping his access. Any help is appreciated</P><P></P><P>access-list acl_outside deny tcp host 216.17.156.110 any (hitcnt=0)</P><P>access-list acl_outside deny tcp host 216.17.156.110 host 216.183.97.151 eq www (hitcnt=0)</P><P>access-list acl-outside deny udp host 216.17.156.110 any (hitcnt=0)</P><P>access-list acl-outside deny tcp host 216.17.156.110 any (hitcnt=0)</P><P>access-list acl-outside deny tcp host 216.17.156.110 eq www host 216.183.97.151 (hitcnt=0)</P><P>access-list acl-outside deny ip host 216.17.156.110 host 216.183.97.151 (hitcnt=0)</P><P></P><P>Where 216.17.156.110 is the host I want to block from my entire network or specifically 216.183.97.151</P><P></P><P></P><P>Also curious what direction the PIX reads the access-list from bottom to top assuming since the bottom is where the deny statments are?</P> Sat, 22 Feb 2020 07:14:18 GMT rjrii 2020-02-22T07:14:18Z https://community.cisco.com/t5/network-security/pix-access-list-deny-statement-issues/m-p/206151#M615505 <P>I have an ip from the internet that I want to deny access to my network, however, I am having issues with my access-list statement. Below is what I am trying, but it is not stopping his access. Any help is appreciated</P><P></P><P>access-list acl_outside deny tcp host 216.17.156.110 any (hitcnt=0)</P><P>access-list acl_outside deny tcp host 216.17.156.110 host 216.183.97.151 eq www (hitcnt=0)</P><P>access-list acl-outside deny udp host 216.17.156.110 any (hitcnt=0)</P><P>access-list acl-outside deny tcp host 216.17.156.110 any (hitcnt=0)</P><P>access-list acl-outside deny tcp host 216.17.156.110 eq www host 216.183.97.151 (hitcnt=0)</P><P>access-list acl-outside deny ip host 216.17.156.110 host 216.183.97.151 (hitcnt=0)</P><P></P><P>Where 216.17.156.110 is the host I want to block from my entire network or specifically 216.183.97.151</P><P></P><P></P><P>Also curious what direction the PIX reads the access-list from bottom to top assuming since the bottom is where the deny statments are?</P> Sat, 22 Feb 2020 07:14:18 GMT https://community.cisco.com/t5/network-security/pix-access-list-deny-statement-issues/m-p/206151#M615505 rjrii 2020-02-22T07:14:18Z https://community.cisco.com/t5/network-security/pix-access-list-deny-statement-issues/m-p/206152#M615507 <HTML><HEAD></HEAD><BODY><P>The PIX reads the ACL from top to bottom, exiting out when it sees the first match. If you have a permit above these lines that permits access from "any" then these lines at the bottom will never be seen.</P><P></P><P>Your best bet is to cut/paste your current ACL into a text file, add the following line TO THE TOP of the list, then remove the ACL from your PIX and cut/paste your new one back in.</P><P><B></B></P><P>&gt; access-list acl_outside deny ip host 216.17.156.110 any</P><P></P><P>To get rid of your current ACL just do:</P><P><B></B></P><P>&gt; no access-list acl_outside</P><P></P><P>then as I said, cut/paste your new one back in. Also make sure of your access-list name, half the access-list you've shown us in your post is called "acl_outside" (note the underscore) and half of them are "acl-outside" (note the dash). Make sure you check what access-list name is applied to the outside interface and match it up correctly.</P></BODY></HTML> Thu, 31 Jul 2003 04:17:31 GMT https://community.cisco.com/t5/network-security/pix-access-list-deny-statement-issues/m-p/206152#M615507 gfullage 2003-07-31T04:17:31Z https://community.cisco.com/t5/network-security/pix-access-list-deny-statement-issues/m-p/206153#M615509 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>did you apply the access-list to the outside interface? To do this, use the access-group command:</P><P></P><P>"access-group acl-outside in interface outside"</P><P></P><P>Kind Regards,</P><P>Tom</P></BODY></HTML> Thu, 31 Jul 2003 06:19:31 GMT https://community.cisco.com/t5/network-security/pix-access-list-deny-statement-issues/m-p/206153#M615509 tvanginneken 2003-07-31T06:19:31Z https://community.cisco.com/t5/network-security/pix-access-list-deny-statement-issues/m-p/206154#M615510 <HTML><HEAD></HEAD><BODY><P>If you want to deny all traffic from that host I would add the following command.</P><P></P><P>access-list acl_outside deny ip host 216.17.156.110 any</P><P></P><P>That will deny all IP traffic, not just tcp and upd.</P></BODY></HTML> Thu, 07 Aug 2003 16:43:08 GMT https://community.cisco.com/t5/network-security/pix-access-list-deny-statement-issues/m-p/206154#M615510 wolfrikk 2003-08-07T16:43:08Z