Pix 501 access-list

Posted on 2006-11-08
Last Modified: 2013-11-16
I have the following networks.

HQ =
Outside = -

I need to create an access list that will prevent the range - from talking to any of those networks.

I started off with this ( access-list 125 deny tcp host )

can someone help me out with this one.
Question by:learn2earn
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2

Expert Comment

ID: 17905984
I'm willing to help, but I need a bit more info on this, can you post your config here?

If not, I think I understand that you wanna restrict the range - that is on the outside interface to talk to anything on the pix, or behind it, no?

so -
                        Pix Outside
                         |              |
                         Pix Inside

And you want people from the outside to be denied if they try to reach, but only if they're in the range -

If I'm right, you only need a line like this:

access-list 125 deny ip
access-group 125 in interface outside

Unlike the cisco routers with IOS, the netmasks are not inversed, so the spelling is important.
LVL 32

Accepted Solution

rsivanandan earned 125 total points
ID: 17906250
A slight modification to the above. After making the access-list none of your outside machines will be able to communicate since the first line denies the machines you wanted and it also denies everything else by the implicit deny statement. So after the first line, add 'permit' for all the networks you want.

access-list 125 deny ip
access-list 125 permit ip
access-list 125 permit ip
access-list 125 permit ip
.... etc...


Expert Comment

ID: 17906451
true, forgot about that, since I usually deny everything from the outside.

Anyways, an easier way would be to deny, like I said, but if everything else should be allowed (since I don't see much reason to block only this segment, and not the rest) a line like

access-list 125 permit ip any any

would work.

Depending on what is really wanted, my answer will change though.

Author Comment

ID: 17908719
HQ= /16
Outside = - /24
                     ______________       ______________                                         _____________
 MPLS cloud --|2800 router    |  ---  | 4506 switch    |--inside-- --  |  Pix 501          |--outside (Internet) DSL
                     ______________       ______________                                         _____________
This is allowed to talk to     | - |

My company is renting space to a client.  The client is assigned the - 255 range.  We do not want his traffic to talk to ours.
So he bought a pix to seperate his traffic from ours. He has his own DSL line for internet.  I would like to still be able to talk to his network for
trouble shooting purposes.

So would this access list work but on my INSIDE interface ( access-list 125 deny ip )
                                                                                   ( access-group 125 in interface inside )

Keep in mind that I still need to connect to him for trouble shooting coming from any address in my network.

Author Comment

ID: 17908743
By the way - is connected to the Cisco 4506 switch.

Featured Post

Windows running painfully slow? Try these tips..

Stay away from Speed Up Computer Programs that do more harm than good.
Try these tips instead.
Step by step instructions in trouble shooting Windows Performance issues.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question