Solved: Re: Outside Restrictions to DMZ

bsprankle217 · ‎11-14-2007

I am trying to deny a IP address from connecting to my Mail Filter located in the DMZ, I have a PIX 515e. My Mail Filter is being attacked and i want to prevent the Attacking IP for connecting to it.

Here is my Current DMZ Conf.

nameif ethernet2 dmz security4

access-list ACL_DMZ permit tcp host 192.168.0.10 host 10.1.1.203 eq smtp

access-list ACL_DMZ permit tcp host 192.168.0.10 10.1.1.0 255.255.255.0 eq 8000

access-list ACL_DMZ permit tcp host 192.168.0.10 host 10.1.1.210 eq domain

access-list ACL_DMZ permit tcp host 192.168.0.10 host 10.1.1.211 eq domain

access-list ACL_DMZ permit icmp host 192.168.0.10 10.1.1.0 255.255.255.0

access-list ACL_DMZ permit udp any any

access-list ACL_DMZ permit tcp any any

access-list ACL_DMZ permit tcp host 192.168.0.10 10.1.2.0 255.255.255.0 eq 8000

access-list ACL_DMZ permit icmp host 192.168.0.10 10.1.2.0 255.255.255.0

access-list ACL_DMZ deny ip host 65.84.81.240 any

access-group ACL_DMZ in interface dmz

Thank you for your assistance.

Collin Clark · ‎11-14-2007

I'm assuming at 65.84.81.240 is the IP you want to block from hitting your mail server. The line above it is permitting it, so you will need to move this line:

access-list ACL_OUTSIDE deny ip host 65.84.81.240 any

above this line:

access-list ACL_OUTSIDE permit tcp any host x.x.x.x eq smtp

To do that you will have to remove each and then add in the correct order. It would be best to do that in notepad and then copy-n-paste into the firewall.

For example:

no access-list ACL_OUTSIDE permit tcp any host x.x.x.x eq smtp

access-list ACL_OUTSIDE permit tcp any host x.x.x.x eq smtp

This will remove then add the line to the bottom of the ACL.

View solution in original post