Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
568
Views
4
Helpful
10
Replies

block inbound connection from spec. ip

Go to solution
gappklaus
Level 1
Level 1

‎11-17-2003 08:20 AM - edited ‎03-09-2019 05:33 AM

HW: Pix 515 (6.2)

Simple question: How can I block a specific IP from access to my internal nework?

I thought this would do it:

access-list outside_access_in deny ip host AAA.AAA.53.100 host BBB.BBB.33.47

with AAA being the outside address and BBB being the outside address of my server on the inside

Thanks,

Klaus

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
travis-dennis_2
Level 7
Level 7
In response to gappklaus

‎11-24-2003 07:00 AM

Well, if you want to take the sledge hammer approach then issues a shun statement and wr mem.

shun xxx.xxx.x.xx <--- IP address you want to block.

Anyone see any reason why this wuold not have the desired result? Seems that if theis IP address is doing something it shouldn't then they don't want to get to it as well as have it get to them.

Pleawe remember to rate the post if it helps out. Thanks!!

View solution in original post

0 Helpful
10 Replies 10

Go to solution
rais
Level 7
Level 7

‎11-17-2003 01:03 PM

If that's the only statement in access-list, it should block access.

Thanks.

0 Helpful

Go to solution
gappklaus
Level 1
Level 1
In response to rais

‎11-17-2003 01:44 PM

No it is not.

there is also a general permit for http access to the server.

I thought the deny would restrict the access on top of the permit rule.

If that is not the case, how can you grant general http access. Yet deny the access to selected outside IPs?

Thanks

Klaus

0 Helpful

Go to solution
gappklaus
Level 1
Level 1
In response to rais

‎11-17-2003 02:01 PM

No it is not.

there is also a general permit for http access to the server.

I thought the deny would restrict the access on top of the permit rule.

If that is not the case, how can you grant general http access. Yet deny the access to selected outside IPs?

Thanks

Klaus

0 Helpful

Go to solution
l.mourits
Level 5
Level 5
In response to gappklaus

‎11-17-2003 02:18 PM

Klaus,

All traffic initiated from outside to inside is implicit dropped, unless explicit permitted.

Lines within your access-lists are processed in order of appearance. If, for example, you have the following config:

access-list outside_in permit ip any any in

access-list outside_in deny ip host xxx.xxx.xxx.xxx host yyy.yyy.yyy.yyy

Then the second rule is never used because of the permit in the first rule.

You have to be aware that the PIX Adaptive Security Algorithm (also known as the statefull inspection engine) is taking care over respons traffic (better known as traffic with a connected state). So, traffic from established sessions which enters the outside interface are always permitted and do not enter access-lists screening.

If you want to have users browse the Internet, and do not have any servers on the inside that have to be reachable from the outside there is no need for an access-list at all.

Hope this helps,

Leo

0 Helpful

Go to solution
rais
Level 7
Level 7
In response to l.mourits

‎11-17-2003 08:09 PM

What you can do is first put a deny statment for the IP you want not to have access to your server. Then put general permit statement granting access to all.

HTH

Rais.

0 Helpful

Go to solution
gappklaus
Level 1
Level 1
In response to l.mourits

‎11-18-2003 01:08 AM

Leo and Rais,

thanks for your responses. That tells me why it did not work.

My situation is that I am protecting a web server and just one outside ip is bothering me, i.e. this ip should be denied to reach the inside.

Now, if I switch the order in the access-list. Then it should work.

Is there a way of changing the order of the access-list entries on a running (active) firewall? Or do I have to delete the accesss-list and enter the data from scratch?

Thanks,

Klaus

0 Helpful

Go to solution
l.mourits
Level 5
Level 5
In response to gappklaus

‎11-20-2003 02:51 PM

Klaus,

Starting from 6.3 version of PIX-OS it is possible to enter new lines in existing access-lists at a specific place. This is done with the keyword "line"

You just delete the line that is at the wrong spot by entering:

no access-list outside_in deny ip host any

And then add it again using the comand:

access-list outside_in deny line 1 ip host any

This will remove the line first, and then enter the line again as the first entry in your access-lists, thus changing order of handling.

Hope this helps,

Leo

(please do not forget to use the rating system, and help to separate the boys from the men :-)))

Go to solution
gappklaus
Level 1
Level 1
In response to l.mourits

‎11-24-2003 04:37 AM

Hi Leo,

unfortunately I am running on V 6.2 (and maintanance contract is expired :-(

But I will figure it out.

Strange that there is no clear description on how to achieve this very basic goal (blocking a specific IP) in the docs.

thanks to all the repliers for there help

All the best from Wiesbaden, Germany

Klaus

0 Helpful

Go to solution
travis-dennis_2
Level 7
Level 7
In response to gappklaus

‎11-24-2003 07:00 AM

Well, if you want to take the sledge hammer approach then issues a shun statement and wr mem.

shun xxx.xxx.x.xx <--- IP address you want to block.

Anyone see any reason why this wuold not have the desired result? Seems that if theis IP address is doing something it shouldn't then they don't want to get to it as well as have it get to them.

Pleawe remember to rate the post if it helps out. Thanks!!

0 Helpful

Go to solution
gappklaus
Level 1
Level 1
In response to travis-dennis_2

‎11-24-2003 07:20 AM

100 points :-)

That was the piece of information I was looking for.

Thanks a lot.

Klaus

0 Helpful
Customers Also Viewed These Support Documents