Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PiX IP Blocking help please

Status
Not open for further replies.
SgtZim

SgtZim

MIS
Dec 2, 2002
18
US
I have a Pix that is setup and working good in all aspects, but Ive run into a problem. Another company somewhere has a compromised server that is trying repeatedly to deliver a very large email through my pix to my email server. The other company is working on killing this but I thought I should be able to just block that IP in my firewall temporarily with the access-list to stop the bleeding while they figure out what to do. What I put in was:

access-list acl_outside deny ip 216.37.x.x 255.255.255.255 host 66.162.xx.xx

but this doesnt seem to be working. I also noticed that this deny showed up at the very bottom of my acl list in the router.

access-list acl_outside permit tcp any host 66.162.x.x eq access-list acl_outside permit tcp any host 66.162.x.x eq 443 (hitcnt=18805)
access-list acl_outside permit tcp any host 66.162.x.x eq smtp (hitcnt=20188)
access-list acl_outside permit tcp any host 66.162.x.x eq 143 (hitcnt=3091)
access-list acl_outside permit tcp any host 66.162.x.x eq pop3 (hitcnt=883)
access-list acl_outside permit tcp any host 66.162.x.x eq 4899 (hitcnt=88)
access-list acl_outside permit tcp any host 66.162.x.x eq 8989 (hitcnt=92634)
access-list acl_outside permit tcp any host 66.162.x.x eq 8989 (hitcnt=95)
access-list acl_outside deny tcp host 216.37.x.x host 66.162.x.x (hitcnt=0)
access-list acl_outside deny ip host 216.37.x.x host 66.162.x.x (hitcnt=0)

Even with this config in, the offending server is still making connections. What am I missing?

Thanks
 
Sort by date Sort by votes
SgtZim,

The problem is that Access lists are sequential, so the first line that it finds that matchs that packet it executes. Therefore, what is happeneing is it is hitting the line:
access-list acl_outside permit tcp any host 66.162.x.x eq pop3 (hitcnt=883)

before it hits:
access-list acl_outside deny ip host 216.37.x.x host 66.162.x.x (hitcnt=0)

If you add the last line to the top of the ACL then it will filter out the packet before it reads the other ACL line and it will deny it. Hope this helps...

Let me know...

Burke
 
Upvote 0 Downvote
How do I add a new acl to the top of the list without removing all of them?
 
Upvote 0 Downvote
Unfortunetly you will need to delete all of them for a moment and then add them all back in. Lucky for the IT world that there is Notepad. It should only take a few seconds to delete it,rearrange it, and re-apply it. Not a large security hole...

Let me know if this helps...

Burke
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Jared R
  • Locked
  • Question
Cisco UC320W Paging Help
Replies
0
Views
206
Jared R
Jared R
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat 1
Replies
1
Views
153
BIS
BIS
bfordz
  • Locked
  • Question
new help on setting up third party VoIP phones through Catalyst 2960x switch
Replies
0
Views
103
bfordz
bfordz
DigiByte34
  • Locked
  • Question
Need Help Cisco AAA to any RADIUS Software
Replies
9
Views
205
DigiByte34
DigiByte34
Delta5
  • Locked
  • Question
Cisco setting for automatic ip arp cache refresh
Replies
3
Views
321
iggsterman
iggsterman

Part and Inventory Search

Sponsor

Back
Top