Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Pix Firewall 506, blocking ip addresses

Posted on 2006-11-06
10
268 Views
Last Modified: 2013-11-16
Hello, I need to know how to block a list of public ip addresses in the pix, I have searched and found references to blocking ranges of ip address, but had no luck on just one, or in my case about 10 outside addresses.

Basically, we are trying to block access to some sites like myspace and stuff until we can get an ISA server up and going.

I know this is pretty simple,  but I need an answer quick so I am offering lots of points.
I am looking for the CLI commands.

Thanks in advance

Chris.
0
Comment
Question by:chris_nt
  • 5
  • 3
  • 2
10 Comments
 

Expert Comment

by:rolltide_bama
ID: 17886576
Have you tried just using regular ACL's on the outside interface?

deny ip host x.x.x.x any ?

or

deny ip host x.x.x.x any eq 80?

0
 

Author Comment

by:chris_nt
ID: 17886694
seems I need a little more input, here is what I did

access-list inside_out deny ip host 216.109.126.22 any
access-group inside_out in interface inside

but when I did it shut down all of the internet

0
 

Expert Comment

by:rolltide_bama
ID: 17890431
you need an implicit permit ip any any.... does that help at all?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 3

Expert Comment

by:bugsaif
ID: 17904623
you have the right idea but doing it the other way around... You wan to block traffic originating from the inside going to outside. try this...

        access-list inside_out_blocked deny ip any host 216.109.126.22
        access-list inside_out_blocked permit ip any any

        access-group inside_out_blocked in interface inside

be sure to remove the old access-list
Saif
0
 

Author Comment

by:chris_nt
ID: 17907116
Thanks I think that is what I need, I will see if it will work this afternoon.
0
 

Author Comment

by:chris_nt
ID: 17917889
Well that is getting close, that works for one ip address, do I need to make a new access list for every ip? ie inside_out_blocked1, inside_out_blocked2.... and so on for each IP address? or is there a way to have a list for one access list.  I need to block about 20 ip addresses

Thanks.
0
 
LVL 3

Accepted Solution

by:
bugsaif earned 500 total points
ID: 17919912
for multiple ip you could just to the same access-list like so...

first do this... you need to remove this line from the access list because ordering is important in access lists and this permits access to all sites.

        no access-list inside_out_blocked permit ip any any

then you build your access-list with all the IPs you want to block.

        access-list inside_out_blocked deny ip any host 1.1.1.1
        access-list inside_out_blocked deny ip any host 2.2.2.2
        access-list inside_out_blocked deny ip any host 3.3.3.3
        access-list inside_out_blocked deny ip any host 4.4.4.4
        access-list inside_out_blocked permit ip any any

Then you apply the access-list to your interface, but you have already done that so you can skip this step.

        access-group inside_out_blocked in interface inside

Saif
0
 

Author Comment

by:chris_nt
ID: 17920194
that's what I pretty much figured out, but you are the man, for some resone my last post did not show up. one last question though.  do i need to undo (no) the

     access-list inside_out_blocked permit ip any any
     access-group inside_out_blocked in interface inside

then add new ip's then and redo? or should i just need to add the

     access-list inside_out_blocked deny ip any host ?.?.?.?

when i need to add a new ip.

thanks
0
 
LVL 3

Expert Comment

by:bugsaif
ID: 17920235
you'll just need to remove (no) the following line...
     
        access-list inside_out_blocked permit ip any any

then add what ever IPs you want to add to the access-list

        access-list inside_out_blocked deny ip any host x.x.x.x

then just allow everything again...

        access-list inside_out_blocked permit ip any any

on the PIX everything happens in real time... so when you remove the 'permit ip any any' line from the access-list all out going access will be stopped until you put it back in... so keep that in mind. Thanks for the points... :)

Saif
0
 

Author Comment

by:chris_nt
ID: 17921847
That's exactly what I needed to know, thanks.  I hope this thread will be of help to other people.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco vWLC DHCP issues 36 60
Cisco Aironet 1140: setting up basic SSID 12 34
Linking Cisco Core switches together 6 13
Cisco WRVS4400N 11 36
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question