• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 445
  • Last Modified:

block a single IP or a range of IPs on PIX

I want to block a specific host from reaching my dmz subnet.

In the example the host is 182.135.34.250 and the IP of the dmz subnet is 198.128.181.0/24

These lines don't work.

access-list outside deny ip host 182.135.34.250 host 198.128.181.226
access-list outside deny ip host 182.135.34.250 198.128.181.0 255.255.255.0

What am I doing wrong?
0
nummagumma2
Asked:
nummagumma2
3 Solutions
 
batry_boyCommented:
As long as the translated public IP address of the DMZ subnet is 198.128.181.xxx then it should work as long as it's applied to the outside interface.  What do your statics and access-group statements look like?
0
 
lrmooreCommented:
They should work fine. Can you post result of "show access-list". Look for increase # in (Hitcount= xxx)
Do you have any permit statements above it? i.e.
 access-list outside permit tcp any host 198.128.181.226 eq www
 access-list outside deny ip host 182.135.34.250 host 198.128.181.226

The permit will allow the packet and will never hit the deny.
0
 
Alan Huseyin KayahanCommented:
make sure you tagged this acl group to interface by typing
access-group outside in interface dmz
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now