• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 184
  • Last Modified:

Blocking a subnet on PIX

Hi,

       I need some to setup an access-list to block a subnet. For example let's say that I wanted to block the subnet 59.124.0.0 - 59.127.255.255. How can I setup and access-list to do something like this?


                                      Thank You in Advance

       
0
vreyesii
Asked:
vreyesii
  • 4
  • 2
1 Solution
 
renillCommented:
wat do u want to block in this ??

access-list <name>  {deny/premit} {tcp/udp}  59.124.0.0  255.2550.0.0 any {eq |neq} {port no}
access-list <name>  {deny/premit} {tcp/udp}  59.127.0.0  255.255.0.0 any {eq |neq} {port no}

access-group {ACL NAME} in interface outside

this is the basic for an acl in pix.

renill
0
 
vreyesiiAuthor Commented:
I would like to block the enitre subnet 59.127.0.0 and subnet 59.124.0.0?

                               Thank You
0
 
calvinetterCommented:
To block that range of IPs, use: 59.124.0.0 255.252.0.0
eg:
  access-list 105 deny ip 59.124.0.0 255.252.0.0 any  <- to block traffic from this range
  access-list 105 deny ip any 59.124.0.0 255.252.0.0  <- to block traffic sent to this range

cheers
0
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

 
vreyesiiAuthor Commented:
When I enter this access-list into the PIX I do not have to assign an access-group or apply to the outside interface correct?

                                     Thank You
0
 
vreyesiiAuthor Commented:
Because I currenly have an access-group applied to the outside interface?

                                     Thank You
0
 
calvinetterCommented:
My examples used "105" for the ACL ID, picked at random.  In your case, you'd use whatever ACL that's applied to the outside interface already.
  Let's say you had this in your config:
access-group inbound in interface outside

  To block that range of IPs above, you'd add some lines to your existing "inbound" ACL:
access-list inbound deny ip 59.124.0.0 255.252.0.0 any  <- to block traffic from this range

  And though usually changes take effect after adding or removing lines from an ACL, it's best to re-apply the ACL to the interface:
  access-group inbound in interface outside

cheers

0
 
vreyesiiAuthor Commented:
Thank You thats what I needed to know.
0

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now