Blocking a subnet on PIX

Hi,

       I need some to setup an access-list to block a subnet. For example let's say that I wanted to block the subnet 59.124.0.0 - 59.127.255.255. How can I setup and access-list to do something like this?


                                      Thank You in Advance

       
vreyesiiAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

renillCommented:
wat do u want to block in this ??

access-list <name>  {deny/premit} {tcp/udp}  59.124.0.0  255.2550.0.0 any {eq |neq} {port no}
access-list <name>  {deny/premit} {tcp/udp}  59.127.0.0  255.255.0.0 any {eq |neq} {port no}

access-group {ACL NAME} in interface outside

this is the basic for an acl in pix.

renill
0
vreyesiiAuthor Commented:
I would like to block the enitre subnet 59.127.0.0 and subnet 59.124.0.0?

                               Thank You
0
calvinetterCommented:
To block that range of IPs, use: 59.124.0.0 255.252.0.0
eg:
  access-list 105 deny ip 59.124.0.0 255.252.0.0 any  <- to block traffic from this range
  access-list 105 deny ip any 59.124.0.0 255.252.0.0  <- to block traffic sent to this range

cheers
0
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

vreyesiiAuthor Commented:
When I enter this access-list into the PIX I do not have to assign an access-group or apply to the outside interface correct?

                                     Thank You
0
vreyesiiAuthor Commented:
Because I currenly have an access-group applied to the outside interface?

                                     Thank You
0
calvinetterCommented:
My examples used "105" for the ACL ID, picked at random.  In your case, you'd use whatever ACL that's applied to the outside interface already.
  Let's say you had this in your config:
access-group inbound in interface outside

  To block that range of IPs above, you'd add some lines to your existing "inbound" ACL:
access-list inbound deny ip 59.124.0.0 255.252.0.0 any  <- to block traffic from this range

  And though usually changes take effect after adding or removing lines from an ACL, it's best to re-apply the ACL to the interface:
  access-group inbound in interface outside

cheers

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
vreyesiiAuthor Commented:
Thank You thats what I needed to know.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.