Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Block Outside IP

Status
Not open for further replies.

thawk10

IS-IT--Management
May 28, 2003
30
US
I am somewhat of a newbie. I have an outside ip pounding our PIX firewall trying to get into our email servers. I need to block the ip from going through our PIX515e.

I believe it would be best to use a "deny" using an access-list but I can't seem to get the command correct. Any help or suggestions would be appreciated.
 
access-list <name> deny ip host <address> any

Substitute the name of your inbound acl and the offending IP address. Naturally, this goes before any "permit" statements.
 
You can also configure your access-list from the web interface (PDM). That may be easier if you are new to the PIX. If you dont have PDM access set up, here are the commands to set it up:

conf t
http server enable
http 192.168.1.0 255.255.255.0 inside (address range you want to allow access to the web interface)

After that is set up, you will enter into your web browser.

The username is <blank> pw is the enable password.
 
I have put in the entry, but it isn't working since it is after the "permit" entries.

How would I go about putting the new acl entry before any "permit" acl's?
 
You have to blow away the old access list and put the new one in with the statements in the order you want them. The best way to do this is to give the new acl another number, then apply that acl to the interface, then remove the old acl.
 
Just a heads up--saves a lot of headaches--with the PIX, I think it started in 6.3x, you can insert access-list statements by line number...that way you don't have to blow it out and re-do it. I just wish they'd do that in the routers!

Example:

access-list ACLName line 20 permit tcp any host x.x.x.x eq 80

If you do a show access-list ACLName it will show the line numbers and then you can decide where insert where to insert.

What's ADD again?
 
You're right. I forgot I was in the PIX forum. ;o(
 
A temporary (until the next reboot of the PIX) option
would be to "shun" the offending address.

shun <address>

This is done from the enable prompt.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top