07-30-2003
08:09 PM
- last edited on
02-21-2020
11:14 PM
by
cc_security_adm
I have an ip from the internet that I want to deny access to my network, however, I am having issues with my access-list statement. Below is what I am trying, but it is not stopping his access. Any help is appreciated
access-list acl_outside deny tcp host 216.17.156.110 any (hitcnt=0)
access-list acl_outside deny tcp host 216.17.156.110 host 216.183.97.151 eq www (hitcnt=0)
access-list acl-outside deny udp host 216.17.156.110 any (hitcnt=0)
access-list acl-outside deny tcp host 216.17.156.110 any (hitcnt=0)
access-list acl-outside deny tcp host 216.17.156.110 eq www host 216.183.97.151 (hitcnt=0)
access-list acl-outside deny ip host 216.17.156.110 host 216.183.97.151 (hitcnt=0)
Where 216.17.156.110 is the host I want to block from my entire network or specifically 216.183.97.151
Also curious what direction the PIX reads the access-list from bottom to top assuming since the bottom is where the deny statments are?
Solved! Go to Solution.
07-30-2003 09:17 PM
The PIX reads the ACL from top to bottom, exiting out when it sees the first match. If you have a permit above these lines that permits access from "any" then these lines at the bottom will never be seen.
Your best bet is to cut/paste your current ACL into a text file, add the following line TO THE TOP of the list, then remove the ACL from your PIX and cut/paste your new one back in.
> access-list acl_outside deny ip host 216.17.156.110 any
To get rid of your current ACL just do:
> no access-list acl_outside
then as I said, cut/paste your new one back in. Also make sure of your access-list name, half the access-list you've shown us in your post is called "acl_outside" (note the underscore) and half of them are "acl-outside" (note the dash). Make sure you check what access-list name is applied to the outside interface and match it up correctly.
07-30-2003 09:17 PM
The PIX reads the ACL from top to bottom, exiting out when it sees the first match. If you have a permit above these lines that permits access from "any" then these lines at the bottom will never be seen.
Your best bet is to cut/paste your current ACL into a text file, add the following line TO THE TOP of the list, then remove the ACL from your PIX and cut/paste your new one back in.
> access-list acl_outside deny ip host 216.17.156.110 any
To get rid of your current ACL just do:
> no access-list acl_outside
then as I said, cut/paste your new one back in. Also make sure of your access-list name, half the access-list you've shown us in your post is called "acl_outside" (note the underscore) and half of them are "acl-outside" (note the dash). Make sure you check what access-list name is applied to the outside interface and match it up correctly.
07-30-2003 11:19 PM
Hi,
did you apply the access-list to the outside interface? To do this, use the access-group command:
"access-group acl-outside in interface outside"
Kind Regards,
Tom
08-07-2003 09:43 AM
If you want to deny all traffic from that host I would add the following command.
access-list acl_outside deny ip host 216.17.156.110 any
That will deny all IP traffic, not just tcp and upd.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide