https://community.cisco.com/t5/network-security/basic-access-list-question/m-p/724809#M999450 <HTML><HEAD></HEAD><BODY><P>Hi </P><P></P><P>You should apply it on the outside interface access-list. So </P><P></P><P>access-list in deny tcp host "bad ip address1" host 192.168.254.21 eq ftp </P><P>access-list in deny tcp host "bad ip address2" host 192.168.254.21 eq ftp </P><P>etc.. for bad ip addresses</P><P>access-list in permit tcp any host 192.168.254.1 eq ftp</P><P></P><P>Know what you mean about things taking longer to sink in <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>HTH </P><P></P><P>Jon </P><P></P></BODY></HTML> Sun, 25 Mar 2007 01:47:27 GMT Jon Marshall 2007-03-25T01:47:27Z https://community.cisco.com/t5/network-security/basic-access-list-question/m-p/724808#M999448 <P>Forgive me for such a basic question...</P><P></P><P>I currently allow ftp access from my outside interface to the server on my inside interface:</P><P>static (inside,outside) 192.168.254.21 192.168.0.60 netmask 255.255.255.255</P><P>access-list in permit tcp any host 192.168.254.21 eq ftp</P><P>access-group in in interface outside</P><P></P><P>Now, I don't like restricting based on IP address, but I have noticed 2 or 3 IP addresses (that seem to be static) that are attacking my ftp server.</P><P></P><P>When I write my access-list 'deny' statement for those IP addresses, am I going to apply it to the outside interface or the inside interface; as I currently allow everyone to access my ftp server from my outside interface...</P><P></P><P>In what order are access-lists evaluated?</P><P></P><P>(I'm 40 something and some things are not sinking in as quickly as when I was 20 something) </P> Mon, 11 Mar 2019 09:51:38 GMT https://community.cisco.com/t5/network-security/basic-access-list-question/m-p/724808#M999448 srberg5219 2019-03-11T09:51:38Z https://community.cisco.com/t5/network-security/basic-access-list-question/m-p/724809#M999450 <HTML><HEAD></HEAD><BODY><P>Hi </P><P></P><P>You should apply it on the outside interface access-list. So </P><P></P><P>access-list in deny tcp host "bad ip address1" host 192.168.254.21 eq ftp </P><P>access-list in deny tcp host "bad ip address2" host 192.168.254.21 eq ftp </P><P>etc.. for bad ip addresses</P><P>access-list in permit tcp any host 192.168.254.1 eq ftp</P><P></P><P>Know what you mean about things taking longer to sink in <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>HTH </P><P></P><P>Jon </P><P></P></BODY></HTML> Sun, 25 Mar 2007 01:47:27 GMT https://community.cisco.com/t5/network-security/basic-access-list-question/m-p/724809#M999450 Jon Marshall 2007-03-25T01:47:27Z https://community.cisco.com/t5/network-security/basic-access-list-question/m-p/724810#M999452 <HTML><HEAD></HEAD><BODY><P>I might be over complicating things, but, the ACL currently letting all ftp traffic in on my outside interface is already in place.</P><P>Do I need to first delete this rule, go back write my 'deny' ACLs, and then re-add my permit rule?</P><P></P><P>Or can I just add the deny rule(s) to my production PIX?</P></BODY></HTML> Sun, 25 Mar 2007 02:07:26 GMT https://community.cisco.com/t5/network-security/basic-access-list-question/m-p/724810#M999452 srberg5219 2007-03-25T02:07:26Z https://community.cisco.com/t5/network-security/basic-access-list-question/m-p/724811#M999453 <HTML><HEAD></HEAD><BODY><P>The denies must be before the permit any or they won't do anything. It goes from the top down and stops at the first match.</P></BODY></HTML> Sun, 25 Mar 2007 03:27:30 GMT https://community.cisco.com/t5/network-security/basic-access-list-question/m-p/724811#M999453 acomiskey 2007-03-25T03:27:30Z https://community.cisco.com/t5/network-security/basic-access-list-question/m-p/724812#M999454 <HTML><HEAD></HEAD><BODY><P>Nothing like your boss coming to you one day and saying, "Here's a PIX. Get it working by Monday."</P><P></P><P>You the man (or woman...or tech)acomiskey! </P><P>YOU and your help is always much appreciated!</P></BODY></HTML> Sun, 25 Mar 2007 03:53:11 GMT https://community.cisco.com/t5/network-security/basic-access-list-question/m-p/724812#M999454 srberg5219 2007-03-25T03:53:11Z