SamK04
asked on
Block 58.60.237.66 ip with Cisco 515e PDM
My network - WinNT network, Cisco 3600 router, Cisco PIX 515e with PDM v.2.1
File/Exchange server (NT4), Webserver (W2k), Antivirus server (W2k) in about 30 user network.
Sirs, I have been getting hits on my webserver from this address (58.60.237.66) steadily over the past day or so and I want to block it with my 515 Pix Device Manager. I see an Add Rules tab with fields for the source ip (them) and dest ip (me), would they be a class A address with subnet mask of 255.0.0.0? Also, will I want a separate rule for all protocol options listed (tcp, udp, ip, icmp) or can I leave it at any?
Any and all advice is appreciated, I would rather use this than trying to tear into the config manually. I know it's an easy question but worth the points if I can fix it quick. Thanks,
Sam
File/Exchange server (NT4), Webserver (W2k), Antivirus server (W2k) in about 30 user network.
Sirs, I have been getting hits on my webserver from this address (58.60.237.66) steadily over the past day or so and I want to block it with my 515 Pix Device Manager. I see an Add Rules tab with fields for the source ip (them) and dest ip (me), would they be a class A address with subnet mask of 255.0.0.0? Also, will I want a separate rule for all protocol options listed (tcp, udp, ip, icmp) or can I leave it at any?
Any and all advice is appreciated, I would rather use this than trying to tear into the config manually. I know it's an easy question but worth the points if I can fix it quick. Thanks,
Sam
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
cool.
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
Logs look ok, thanks again. Should I consider any additions to my router ACL's about this ip? Or could (should) I have done it their in the first place?
You can also create a network object-group that you can add/subtract individual hosts and networks into, then just have a single access-list entry. When you make changes, just add/delete from the group.
Configuration | Hosts/Networks
Outside Interface
Add host 58.60.237.66 / 255.255.255.255
Add Group Name: BADBAD
Select the host in the Members not in group and Add> to group
OK
Apply
Access Rules
Add a rule
Action Deny
Source Host/network *Group
Interface: outside
Group: BADBAD
OK
Apply
Done. Now just add/remove hosts to the group in the Hosts/Network tab when you want to block them.
Configuration | Hosts/Networks
Outside Interface
Add host 58.60.237.66 / 255.255.255.255
Add Group Name: BADBAD
Select the host in the Members not in group and Add> to group
OK
Apply
Access Rules
Add a rule
Action Deny
Source Host/network *Group
Interface: outside
Group: BADBAD
OK
Apply
Done. Now just add/remove hosts to the group in the Hosts/Network tab when you want to block them.
>with PDM v.2.1
Highly suggest upgrading that to PIX 6.3(5) and PDM 3.04
PDM just keeps getting better. World of difference between 2.x and 3.x
Since it is a 515, you could upgrade all the way to latest 7.2x with new ASDM GUI. It really is slick with lots of new features, like a simple checkmark to toggle access-list rules enabled/disabled without having to completely delete any acl entry.
Highly suggest upgrading that to PIX 6.3(5) and PDM 3.04
PDM just keeps getting better. World of difference between 2.x and 3.x
Since it is a 515, you could upgrade all the way to latest 7.2x with new ASDM GUI. It really is slick with lots of new features, like a simple checkmark to toggle access-list rules enabled/disabled without having to completely delete any acl entry.
This is what the object-group config looks like:
object-group network BADBAD
network-object 58.60.237.66 255.255.255.255
access-list outside_access_in deny ip object-group BADBAD any
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any traceroute
access-list outside_access_in permit icmp any any unreachable
access-list outside_access_in permit icmp any any time-exceeded
access-group outside_access_in in interface outside
Just make sure this block acl entry is at the top of the inbound acl list.
object-group network BADBAD
network-object 58.60.237.66 255.255.255.255
access-list outside_access_in deny ip object-group BADBAD any
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any traceroute
access-list outside_access_in permit icmp any any unreachable
access-list outside_access_in permit icmp any any time-exceeded
access-group outside_access_in in interface outside
Just make sure this block acl entry is at the top of the inbound acl list.
thnx.
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
Will double check logs tomorrow and close question with points to you. Thanks.