02-25-2003 11:02 AM - edited 02-20-2020 09:20 PM
Hello.
I have a question about the functionality of the access-list, I tried to blocking some range of internets addresses with acl, but it doesn´t work, I don´t know if I am right about the sintax (I think I do), my acl is the following:
access-list externa deny ip 213.248.112.0 255.255.255.0 any
then I applied to the outside interface with the command:
access-group externa in interface outside
but this addresses still gaining access to my LAN.
What can I do?
thanks.
02-25-2003 11:27 AM
something does not look right. Is that the entire ACL? There is an implicit deny at the end of all ACL's, so that ACL should block all traffic coming in since there is no permit statements.
02-25-2003 11:55 AM
Depending on your config, you may need to use local/remote -
access-list externa deny ip any 213.248.112.0 255.255.255.0
~rls
02-25-2003 12:18 PM
Is this the only ACL applied on your outside interface ? ACL are processed in order in witch they appear on your config.
So if you have a config that look's like this:
access-list externa permit ip 213.0.0.0 255.0.0.0 any
access-list externa deny ip 213.248.112.0 255.255.255.0 any
access-group externa in interface outside
The 2nd ACL will never be processed.
It is also a good practice to do a 'clear xlate' command after changing an ACL, but in this case it wouldn't be necessary..
Mike
02-25-2003 03:42 PM
If the traffic you're trying to block on the outside interface was initiated on an interface with higher security, inside for example, then denies in the outside ACL with have no affect. The Pix uses stateful inspection to determine what to let in. If the session started on the inside, it will always let it back in the other interfaces. To stop traffic of this type, deny the traffic with an ACL on the interface where the traffic started.
If the traffic isn't iniated in the inside, repost your ACL entries and access-group commands for further investigation.
02-25-2003 03:56 PM
I am new to Cisco, but if the network range you are trying to block is:
213.248.112.0
then shouldn't the netmask be:
0.0.0.255
Please do correct me if I am wrong.
02-25-2003 04:11 PM
That's incorrect. What you're referring to is a wild card mask and not a subnet mask. The pix uses subnet masks while routers uses wild card masks like you stated..
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide