Solved: Re: ACL for PIX 6.3.1

ahmedkhaleel · ‎01-05-2005

Below is my access list I have one IP 211.181.198.201 from Internet trying to access my web server frequently from me this from untrusted I don't want this IP 211.181.198.201 to access my web server, anyway I have applied the last statement will the last statement be effective. I assume that permit in the first statement will permit any host even this IP 211.181.198.201 to access my web server, How can I block it please advice.

access-list 101 permit tcp any host xxx.187.66.197 eq www

access-list 101 permit udp any host xxx.187.66.195 eq domain

access-list 101 permit tcp any host xxx.187.66.198 eq www

access-list 101 deny ip host 211.181.198.201 any

Patrick Iseli · ‎01-05-2005

If you want to block host 211.181.198.201 accessing a server behind your PIX you need to put this befor the permit statements !

example:

access-list 101 deny ip host 211.181.198.201 any

access-list 101 permit tcp any host xxx.187.66.197 eq www

access-list 101 permit udp any host xxx.187.66.195 eq domain

access-list 101 permit tcp any host xxx.187.66.198 eq www

Depending on your PIX OS version you just can add an access-list entry with the "line n" statement, I think 6.3.3 introduced that feature.

Syntax:

[no] access-list [line ] deny|permit

|object-group

| interface | object-group

[ [] | object-group ]

| interface | object-group

[ [] | object-group ]

[log [disable|default] | [] [interval ]]

example:

no access-list 101 deny ip host 211.181.198.201 any

access-list 101 deny line 1 ip host 211.181.198.201 any

Do a "clear xlate" if neccesary! Take care that resets all communications.

sincerely

Patrick

View solution in original post

Patrick Iseli · ‎01-05-2005

If you want to block host 211.181.198.201 accessing a server behind your PIX you need to put this befor the permit statements !

example:

access-list 101 deny ip host 211.181.198.201 any

access-list 101 permit tcp any host xxx.187.66.197 eq www

access-list 101 permit udp any host xxx.187.66.195 eq domain

access-list 101 permit tcp any host xxx.187.66.198 eq www

Depending on your PIX OS version you just can add an access-list entry with the "line n" statement, I think 6.3.3 introduced that feature.

Syntax:

[no] access-list [line ] deny|permit

|object-group

| interface | object-group

[ [] | object-group ]

| interface | object-group

[ [] | object-group ]

[log [disable|default] | [] [interval ]]

example:

no access-list 101 deny ip host 211.181.198.201 any

access-list 101 deny line 1 ip host 211.181.198.201 any

Do a "clear xlate" if neccesary! Take care that resets all communications.

sincerely

Patrick

ahmedkhaleel · ‎01-06-2005

Hy Patrick,

It works thanks for the information.

Thanks

Khaleel

Patrick Iseli · ‎01-06-2005

The pleasure is mine,

Please mark your post as solved, so that they can remove it from the post list.

sincerely

Patrick