Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

block a single IP or a range of IPs on PIX

Posted on 2007-03-26
5
Medium Priority
?
443 Views
Last Modified: 2010-04-12
I want to block a specific host from reaching my dmz subnet.

In the example the host is 182.135.34.250 and the IP of the dmz subnet is 198.128.181.0/24

These lines don't work.

access-list outside deny ip host 182.135.34.250 host 198.128.181.226
access-list outside deny ip host 182.135.34.250 198.128.181.0 255.255.255.0

What am I doing wrong?
0
Comment
Question by:nummagumma2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 672 total points
ID: 18796493
As long as the translated public IP address of the DMZ subnet is 198.128.181.xxx then it should work as long as it's applied to the outside interface.  What do your statics and access-group statements look like?
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 664 total points
ID: 18800102
They should work fine. Can you post result of "show access-list". Look for increase # in (Hitcount= xxx)
Do you have any permit statements above it? i.e.
 access-list outside permit tcp any host 198.128.181.226 eq www
 access-list outside deny ip host 182.135.34.250 host 198.128.181.226

The permit will allow the packet and will never hit the deny.
0
 
LVL 29

Assisted Solution

by:Alan Huseyin Kayahan
Alan Huseyin Kayahan earned 664 total points
ID: 18800994
make sure you tagged this acl group to interface by typing
access-group outside in interface dmz
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Considering cloud tradeoffs and determining the right mix for your organization.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question