11-17-2003 08:20 AM - edited 03-09-2019 05:33 AM
HW: Pix 515 (6.2)
Simple question: How can I block a specific IP from access to my internal nework?
I thought this would do it:
access-list outside_access_in deny ip host AAA.AAA.53.100 host BBB.BBB.33.47
with AAA being the outside address and BBB being the outside address of my server on the inside
Thanks,
Klaus
Solved! Go to Solution.
11-24-2003 07:00 AM
Well, if you want to take the sledge hammer approach then issues a shun statement and wr mem.
shun xxx.xxx.x.xx <--- IP address you want to block.
Anyone see any reason why this wuold not have the desired result? Seems that if theis IP address is doing something it shouldn't then they don't want to get to it as well as have it get to them.
Pleawe remember to rate the post if it helps out. Thanks!!
11-17-2003 01:03 PM
If that's the only statement in access-list, it should block access.
Thanks.
11-17-2003 01:44 PM
No it is not.
there is also a general permit for http access to the server.
I thought the deny would restrict the access on top of the permit rule.
If that is not the case, how can you grant general http access. Yet deny the access to selected outside IPs?
Thanks
Klaus
11-17-2003 02:01 PM
No it is not.
there is also a general permit for http access to the server.
I thought the deny would restrict the access on top of the permit rule.
If that is not the case, how can you grant general http access. Yet deny the access to selected outside IPs?
Thanks
Klaus
11-17-2003 02:18 PM
Klaus,
All traffic initiated from outside to inside is implicit dropped, unless explicit permitted.
Lines within your access-lists are processed in order of appearance. If, for example, you have the following config:
access-list outside_in permit ip any any in
access-list outside_in deny ip host xxx.xxx.xxx.xxx host yyy.yyy.yyy.yyy
Then the second rule is never used because of the permit in the first rule.
You have to be aware that the PIX Adaptive Security Algorithm (also known as the statefull inspection engine) is taking care over respons traffic (better known as traffic with a connected state). So, traffic from established sessions which enters the outside interface are always permitted and do not enter access-lists screening.
If you want to have users browse the Internet, and do not have any servers on the inside that have to be reachable from the outside there is no need for an access-list at all.
Hope this helps,
Leo
11-17-2003 08:09 PM
What you can do is first put a deny statment for the IP you want not to have access to your server. Then put general permit statement granting access to all.
HTH
Rais.
11-18-2003 01:08 AM
Leo and Rais,
thanks for your responses. That tells me why it did not work.
My situation is that I am protecting a web server and just one outside ip is bothering me, i.e. this ip should be denied to reach the inside.
Now, if I switch the order in the access-list. Then it should work.
Is there a way of changing the order of the access-list entries on a running (active) firewall? Or do I have to delete the accesss-list and enter the data from scratch?
Thanks,
Klaus
11-20-2003 02:51 PM
Klaus,
Starting from 6.3 version of PIX-OS it is possible to enter new lines in existing access-lists at a specific place. This is done with the keyword "line"
You just delete the line that is at the wrong spot by entering:
no access-list outside_in deny ip host
And then add it again using the comand:
access-list outside_in deny line 1 ip host
This will remove the line first, and then enter the line again as the first entry in your access-lists, thus changing order of handling.
Hope this helps,
Leo
(please do not forget to use the rating system, and help to separate the boys from the men :-)))
11-24-2003 04:37 AM
Hi Leo,
unfortunately I am running on V 6.2 (and maintanance contract is expired :-(
But I will figure it out.
Strange that there is no clear description on how to achieve this very basic goal (blocking a specific IP) in the docs.
thanks to all the repliers for there help
All the best from Wiesbaden, Germany
Klaus
11-24-2003 07:00 AM
Well, if you want to take the sledge hammer approach then issues a shun statement and wr mem.
shun xxx.xxx.x.xx <--- IP address you want to block.
Anyone see any reason why this wuold not have the desired result? Seems that if theis IP address is doing something it shouldn't then they don't want to get to it as well as have it get to them.
Pleawe remember to rate the post if it helps out. Thanks!!
11-24-2003 07:20 AM
100 points :-)
That was the piece of information I was looking for.
Thanks a lot.
Klaus
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide