• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2906
  • Last Modified:

block ip cisco asa

i am quite a bit rusty on my cisco chops right now. what is the command to block a single ip from getting into our network?
e.g. i want to block 67.159.60.22/29
can i block the entire subnet with an access list. do i just block the single ip i see hitting us so much? what exactly are the commands past conf t
would 'access-list 105 extended deny ip 67.159.0.0 255.255.255.248 any' work?
do i need to apply it to eth0
sorry, its been a long while.
0
-pH
Asked:
-pH
  • 6
  • 5
  • 2
1 Solution
 
theoaksCommented:
enable
conf t
access-list <ACLNUMBER> deny ip 67.159.60.22 255.255.255.248 any
int e0
ip access-group <ACLNUM> in
write mem

0
 
debuggerauCommented:
very good,
there should be an access-group assigned to that interface, like:
access-group 105 in interface outside

Then make an object group for those hosts
object-group network nastyhost
 network-object 67.159.60.22 255.255.255.224


so the access list would be:
access-list 105 extended deny ip host object-group Nastyhost any

Hope that helps.
0
 
-pHAuthor Commented:
debuggeras- sorry this is my production fw so i just need to be sure before i start
will that just block the single ip?
and i just execute commands as follows?
do i replace 'nasty host' with the ip of the offending host?

access-group 105 in interface outside
object-group network nastyhost
network-object 67.159.60.22 255.255.255.224
access-list 105 extended deny ip host object-group Nastyhost any
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
-pHAuthor Commented:
the oaks-
sorry i missed this on the last post, will your commands reach the same results? not sure what the dif is.
0
 
theoaksCommented:
that will do the range...

but the subnet id for tha i p you suplied is incorrect. it should be

67.159.60.16 255.255.255.248

this will block everything between .16 and .23

thanks
0
 
theoaksCommented:
also is this a router or firewall? if so what model / ios.

syntax is different depending on what ios your using too.
0
 
-pHAuthor Commented:
i need to block from 67.159.60.24-31
this is an asa 5510 (fw)
0
 
theoaksCommented:
ok

that make it a little different

try

conf t
access-list <aclname> line 1 deny ip 67.159.60.24 255.255.255.248 any
access-group <aclname> in interface <outside interfaces name>
write mem

<outside interfacename> is the nameif of your outside interface

thanks
0
 
-pHAuthor Commented:
after the first line i get the following error:

GS-ASA5510-1(config)# access-list 105 line 1 deny ip 67.159.60.29 255.255.255.$
ERROR: IP address,mask <67.159.60.29,255.255.255.248> doesn't pair
GS-ASA5510-1(config)#
0
 
debuggerauCommented:
yeah, my mask was off, but its for the range, not single address..

If its a production firewall, I'd prefer theoaks suggestions too..
I've got a PIX, not ASA, so the extended part might not exist on your box..

And the 'line 1' part - I cant say..

use 'theoak's method firstly..
0
 
theoaksCommented:
you typed 67.159.60.29 you need to type 67.159.60.24

thanks
0
 
-pHAuthor Commented:
awesome, nice catch. thanks.
we shall see what happens now. it looks like a personal ip coming from SC, but geo phys local shows it coming from IL.
i am kinda guessing the guy on whois who has the ip registered is loaded up with spyware and somebody got in and is now slapping me with spam.
we shall see.
thanks a bunch!
-pH
0
 
-pHAuthor Commented:
awesome and quick response.
0

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 6
  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now