Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
575
Views
5
Helpful
3
Replies

ACL for PIX 6.3.1

Go to solution
ahmedkhaleel
Level 1
Level 1

‎01-05-2005 06:09 PM - edited ‎02-20-2020 11:51 PM

Below is my access list I have one IP 211.181.198.201 from Internet trying to access my web server frequently from me this from untrusted I don't want this IP 211.181.198.201 to access my web server, anyway I have applied the last statement will the last statement be effective. I assume that permit in the first statement will permit any host even this IP 211.181.198.201 to access my web server, How can I block it please advice.

access-list 101 permit tcp any host xxx.187.66.197 eq www

access-list 101 permit udp any host xxx.187.66.195 eq domain

access-list 101 permit tcp any host xxx.187.66.198 eq www

access-list 101 deny ip host 211.181.198.201 any

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Patrick Iseli
Level 7
Level 7

‎01-05-2005 08:10 PM

If you want to block host 211.181.198.201 accessing a server behind your PIX you need to put this befor the permit statements !

example:

access-list 101 deny ip host 211.181.198.201 any

access-list 101 permit tcp any host xxx.187.66.197 eq www

access-list 101 permit udp any host xxx.187.66.195 eq domain

access-list 101 permit tcp any host xxx.187.66.198 eq www

Depending on your PIX OS version you just can add an access-list entry with the "line n" statement, I think 6.3.3 introduced that feature.

Syntax:

[no] access-list [line ] deny|permit

|object-group

| interface | object-group

[ [] | object-group ]

| interface | object-group

[ [] | object-group ]

[log [disable|default] | [] [interval ]]

example:

no access-list 101 deny ip host 211.181.198.201 any

access-list 101 deny line 1 ip host 211.181.198.201 any

Do a "clear xlate" if neccesary! Take care that resets all communications.

sincerely

Patrick

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Patrick Iseli
Level 7
Level 7

‎01-05-2005 08:10 PM

If you want to block host 211.181.198.201 accessing a server behind your PIX you need to put this befor the permit statements !

example:

access-list 101 deny ip host 211.181.198.201 any

access-list 101 permit tcp any host xxx.187.66.197 eq www

access-list 101 permit udp any host xxx.187.66.195 eq domain

access-list 101 permit tcp any host xxx.187.66.198 eq www

Depending on your PIX OS version you just can add an access-list entry with the "line n" statement, I think 6.3.3 introduced that feature.

Syntax:

[no] access-list [line ] deny|permit

|object-group

| interface | object-group

[ [] | object-group ]

| interface | object-group

[ [] | object-group ]

[log [disable|default] | [] [interval ]]

example:

no access-list 101 deny ip host 211.181.198.201 any

access-list 101 deny line 1 ip host 211.181.198.201 any

Do a "clear xlate" if neccesary! Take care that resets all communications.

sincerely

Patrick

0 Helpful

Go to solution
ahmedkhaleel
Level 1
Level 1
In response to Patrick Iseli

‎01-06-2005 07:12 PM

Hy Patrick,

It works thanks for the information.

Thanks

Khaleel

0 Helpful

Go to solution
Patrick Iseli
Level 7
Level 7
In response to ahmedkhaleel

‎01-06-2005 07:20 PM

The pleasure is mine,

Please mark your post as solved, so that they can remove it from the post list.

sincerely

Patrick

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card