Re: How to prevent traffic from specific networks?

boxenberg · ‎07-16-2003

Running Pix Firwall software 6.2 on a Cisco 506E can I deny incoming tcp traffic to an entire Network? For example, how would I configure the Firewall to deny all incoming tcp traffic from any host on 10.10.x.x and 10.11.x.x? Do I create an ACL for this? If so, do I just add a subnet mask after the foreign ip address, as in

access-list 120 deny tcp 10.10.0.0 255.255.0.0 host any any

access-list 120 deny tcp 10.11.0.0 255.255.0.0 host any any

Thanks in advance for any guidance.

Regards,

Barry

gfullage · ‎07-16-2003

To deny all TCP traffic to these networks (or any network for that matter) from the inside interface is a bit strange, does it have to be just TCP and not all IP? If it can be all IP traffic, do the following:

> access-list 100 deny ip 10.10.0.0 255.255.0.0 any

> access-list 100 deny ip 10.11.0.0 255.255.0.0 any

> access-list 100 permit ip any any

> access-group 100 in interface inside

If it just has to be TCP traffic only, you have to specify what ports you want, so you'd do something like the following:

> access-list 100 deny tcp 10.10.0.0 255.255.0.0 any range 1 65535

> access-list 100 deny tcp 10.11.0.0 255.255.0.0 any range 1 65535

> access-list 100 permit ip any any

Keep in mind there's always an implicit "deny everything" at the end of an ACL, so if you just added in the two "deny" lines that you specified, there'd also be a "deny any any" at the end of that and you'll end up denying all access.