chris_nt
asked on
Pix Firewall 506, blocking ip addresses
Hello, I need to know how to block a list of public ip addresses in the pix, I have searched and found references to blocking ranges of ip address, but had no luck on just one, or in my case about 10 outside addresses.
Basically, we are trying to block access to some sites like myspace and stuff until we can get an ISA server up and going.
I know this is pretty simple, but I need an answer quick so I am offering lots of points.
I am looking for the CLI commands.
Thanks in advance
Chris.
Basically, we are trying to block access to some sites like myspace and stuff until we can get an ISA server up and going.
I know this is pretty simple, but I need an answer quick so I am offering lots of points.
I am looking for the CLI commands.
Thanks in advance
Chris.
ASKER
seems I need a little more input, here is what I did
access-list inside_out deny ip host 216.109.126.22 any
access-group inside_out in interface inside
but when I did it shut down all of the internet
access-list inside_out deny ip host 216.109.126.22 any
access-group inside_out in interface inside
but when I did it shut down all of the internet
you need an implicit permit ip any any.... does that help at all?
you have the right idea but doing it the other way around... You wan to block traffic originating from the inside going to outside. try this...
access-list inside_out_blocked deny ip any host 216.109.126.22
access-list inside_out_blocked permit ip any any
access-group inside_out_blocked in interface inside
be sure to remove the old access-list
Saif
access-list inside_out_blocked deny ip any host 216.109.126.22
access-list inside_out_blocked permit ip any any
access-group inside_out_blocked in interface inside
be sure to remove the old access-list
Saif
ASKER
Thanks I think that is what I need, I will see if it will work this afternoon.
ASKER
Well that is getting close, that works for one ip address, do I need to make a new access list for every ip? ie inside_out_blocked1, inside_out_blocked2.... and so on for each IP address? or is there a way to have a list for one access list. I need to block about 20 ip addresses
Thanks.
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
that's what I pretty much figured out, but you are the man, for some resone my last post did not show up. one last question though. do i need to undo (no) the
access-list inside_out_blocked permit ip any any
access-group inside_out_blocked in interface inside
then add new ip's then and redo? or should i just need to add the
access-list inside_out_blocked deny ip any host ?.?.?.?
when i need to add a new ip.
thanks
access-list inside_out_blocked permit ip any any
access-group inside_out_blocked in interface inside
then add new ip's then and redo? or should i just need to add the
access-list inside_out_blocked deny ip any host ?.?.?.?
when i need to add a new ip.
thanks
you'll just need to remove (no) the following line...
access-list inside_out_blocked permit ip any any
then add what ever IPs you want to add to the access-list
access-list inside_out_blocked deny ip any host x.x.x.x
then just allow everything again...
access-list inside_out_blocked permit ip any any
on the PIX everything happens in real time... so when you remove the 'permit ip any any' line from the access-list all out going access will be stopped until you put it back in... so keep that in mind. Thanks for the points... :)
Saif
access-list inside_out_blocked permit ip any any
then add what ever IPs you want to add to the access-list
access-list inside_out_blocked deny ip any host x.x.x.x
then just allow everything again...
access-list inside_out_blocked permit ip any any
on the PIX everything happens in real time... so when you remove the 'permit ip any any' line from the access-list all out going access will be stopped until you put it back in... so keep that in mind. Thanks for the points... :)
Saif
ASKER
That's exactly what I needed to know, thanks. I hope this thread will be of help to other people.
deny ip host x.x.x.x any ?
or
deny ip host x.x.x.x any eq 80?