Solved: Re: PIX 515E to block ip of a subnet

bhavesh20 · ‎01-19-2010

I have a pix

515E and would like to block traffic of certin ip subnets.

I am receiving so many hits from there to my email server SMTP port.

i manually blocked ip

Ex.

125.110.102.86 ip's from china and creating spam on my mail server.

220.190.41.132

insted of each ip i want to block 125.110.0.0 and 220.190.0.0

how can i get this done ?

Jon Marshall · ‎01-19-2010

bhavesh20@yahoo.com

thanx for the response jon

i am not alot fimilier with pix but from the web interface (PDM) i added rule like this and its blocking traffic from that ip

access-list acl_out_to_in line 40 extended deny object-group DM_INLINE_SERVICE_1 host 125.110.102.86 any 0x960c8531
access-list acl_out_to_in line 40 extended deny ip host 125.110.102.86 any (hitcnt=21650) 0x47f4e704
access-list acl_out_to_in line 40 extended deny tcp host 125.110.102.86 any (hitcnt=0) 0xe6059313
access-list acl_out_to_in line 40 extended deny tcp host 125.110.102.86 any eq smtp (hitcnt=0) 0x7e703e53

what i would like to do is block everything from the ip 125.110.102.0 - 125.110.102.255 all hosts. is it possible ?

access-list acl_out_to_in deny tcp 125.110.102.0 255.255.255.0 any eq smtp

note instead of "any" you could actually put the SMTP server address - it's public IP.

If you want to deny all IP

access-list acl_out_to_in deny ip 125.110.102.0 255.255.255.0 any

but be aware that this will stop all IP connections from that subnet to any of your IP addresses.

Jon

View solution in original post

Jon Marshall · ‎01-19-2010

bhavesh20@yahoo.com

I have a pix

515E and would like to block traffic of certin ip subnets.

I am receiving so many hits from there to my email server SMTP port.

i manually blocked ip

Ex.

125.110.102.86 ip's from china and creating spam on my mail server.

220.190.41.132

insted of each ip i want to block 125.110.0.0 and 220.190.0.0

how can i get this done ?

Not sure what you are asking here.

If you are already blocking certain hosts eg.

access-list outside_in deny tcp host 125.110.102.86 host eq 25

then to block a subnet simply change the first bit of your acl ie.

access-list outside_in deny tcp 125.110.0.0 host eq 25

or have i misunderstood the requirement ?

Jon

bhavesh20 · ‎01-19-2010

thanx for the response jon

i am not alot fimilier with pix but from the web interface (PDM) i added rule like this and its blocking traffic from that ip

access-list acl_out_to_in line 40 extended deny object-group DM_INLINE_SERVICE_1 host 125.110.102.86 any 0x960c8531
access-list acl_out_to_in line 40 extended deny ip host 125.110.102.86 any (hitcnt=21650) 0x47f4e704
access-list acl_out_to_in line 40 extended deny tcp host 125.110.102.86 any (hitcnt=0) 0xe6059313
access-list acl_out_to_in line 40 extended deny tcp host 125.110.102.86 any eq smtp (hitcnt=0) 0x7e703e53

what i would like to do is block everything from the ip 125.110.102.0 - 125.110.102.255 all hosts. is it possible ?

Jon Marshall · ‎01-19-2010

bhavesh20@yahoo.com

thanx for the response jon

i am not alot fimilier with pix but from the web interface (PDM) i added rule like this and its blocking traffic from that ip

access-list acl_out_to_in line 40 extended deny object-group DM_INLINE_SERVICE_1 host 125.110.102.86 any 0x960c8531
access-list acl_out_to_in line 40 extended deny ip host 125.110.102.86 any (hitcnt=21650) 0x47f4e704
access-list acl_out_to_in line 40 extended deny tcp host 125.110.102.86 any (hitcnt=0) 0xe6059313
access-list acl_out_to_in line 40 extended deny tcp host 125.110.102.86 any eq smtp (hitcnt=0) 0x7e703e53

what i would like to do is block everything from the ip 125.110.102.0 - 125.110.102.255 all hosts. is it possible ?

access-list acl_out_to_in deny tcp 125.110.102.0 255.255.255.0 any eq smtp

note instead of "any" you could actually put the SMTP server address - it's public IP.

If you want to deny all IP

access-list acl_out_to_in deny ip 125.110.102.0 255.255.255.0 any

but be aware that this will stop all IP connections from that subnet to any of your IP addresses.

Jon

beatinger · ‎07-25-2020

Isn't the order as to where you put deny statements of importance?

Also, how would I add a conduit line at the very top of the list, so that it is in the correct order?

Here is an example that will NOT block these IPs, as it is on the bottom of the 'permit" list:

conduit permit tcp host 12.43.x.xx eq ssh any
conduit permit tcp host 12.43.x.xx eq ftp any
conduit deny tcp host 212.70.149.82 any
conduit deny tcp host 212.70.149.51 any
conduit deny tcp any any
conduit deny udp any any