cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
689
Views
3
Helpful
6
Replies

problem with acl

davisdev
Level 1
Level 1

Hello.

I have a question about the functionality of the access-list, I tried to blocking some range of internets addresses with acl, but it doesn´t work, I don´t know if I am right about the sintax (I think I do), my acl is the following:

access-list externa deny ip 213.248.112.0 255.255.255.0 any

then I applied to the outside interface with the command:

access-group externa in interface outside

but this addresses still gaining access to my LAN.

What can I do?

thanks.

6 Replies 6

wolfrikk
Level 3
Level 3

something does not look right. Is that the entire ACL? There is an implicit deny at the end of all ACL's, so that ACL should block all traffic coming in since there is no permit statements.

Depending on your config, you may need to use local/remote -

access-list externa deny ip any 213.248.112.0 255.255.255.0

~rls

mpalardy
Level 3
Level 3

Is this the only ACL applied on your outside interface ? ACL are processed in order in witch they appear on your config.

So if you have a config that look's like this:

access-list externa permit ip 213.0.0.0 255.0.0.0 any

access-list externa deny ip 213.248.112.0 255.255.255.0 any

access-group externa in interface outside

The 2nd ACL will never be processed.

It is also a good practice to do a 'clear xlate' command after changing an ACL, but in this case it wouldn't be necessary..

Mike

shannong
Level 4
Level 4

If the traffic you're trying to block on the outside interface was initiated on an interface with higher security, inside for example, then denies in the outside ACL with have no affect. The Pix uses stateful inspection to determine what to let in. If the session started on the inside, it will always let it back in the other interfaces. To stop traffic of this type, deny the traffic with an ACL on the interface where the traffic started.

If the traffic isn't iniated in the inside, repost your ACL entries and access-group commands for further investigation.

vikrantarora
Level 1
Level 1

I am new to Cisco, but if the network range you are trying to block is:

213.248.112.0

then shouldn't the netmask be:

0.0.0.255

Please do correct me if I am wrong.

That's incorrect. What you're referring to is a wild card mask and not a subnet mask. The pix uses subnet masks while routers uses wild card masks like you stated..