-pH
asked on
block ip cisco asa
i am quite a bit rusty on my cisco chops right now. what is the command to block a single ip from getting into our network?
e.g. i want to block 67.159.60.22/29
can i block the entire subnet with an access list. do i just block the single ip i see hitting us so much? what exactly are the commands past conf t
would 'access-list 105 extended deny ip 67.159.0.0 255.255.255.248 any' work?
do i need to apply it to eth0
sorry, its been a long while.
e.g. i want to block 67.159.60.22/29
can i block the entire subnet with an access list. do i just block the single ip i see hitting us so much? what exactly are the commands past conf t
would 'access-list 105 extended deny ip 67.159.0.0 255.255.255.248 any' work?
do i need to apply it to eth0
sorry, its been a long while.
very good,
there should be an access-group assigned to that interface, like:
access-group 105 in interface outside
Then make an object group for those hosts
object-group network nastyhost
network-object 67.159.60.22 255.255.255.224
so the access list would be:
access-list 105 extended deny ip host object-group Nastyhost any
Hope that helps.
there should be an access-group assigned to that interface, like:
access-group 105 in interface outside
Then make an object group for those hosts
object-group network nastyhost
network-object 67.159.60.22 255.255.255.224
so the access list would be:
access-list 105 extended deny ip host object-group Nastyhost any
Hope that helps.
ASKER
debuggeras- sorry this is my production fw so i just need to be sure before i start
will that just block the single ip?
and i just execute commands as follows?
do i replace 'nasty host' with the ip of the offending host?
access-group 105 in interface outside
object-group network nastyhost
network-object 67.159.60.22 255.255.255.224
access-list 105 extended deny ip host object-group Nastyhost any
will that just block the single ip?
and i just execute commands as follows?
do i replace 'nasty host' with the ip of the offending host?
access-group 105 in interface outside
object-group network nastyhost
network-object 67.159.60.22 255.255.255.224
access-list 105 extended deny ip host object-group Nastyhost any
ASKER
the oaks-
sorry i missed this on the last post, will your commands reach the same results? not sure what the dif is.
sorry i missed this on the last post, will your commands reach the same results? not sure what the dif is.
that will do the range...
but the subnet id for tha i p you suplied is incorrect. it should be
67.159.60.16 255.255.255.248
this will block everything between .16 and .23
thanks
but the subnet id for tha i p you suplied is incorrect. it should be
67.159.60.16 255.255.255.248
this will block everything between .16 and .23
thanks
also is this a router or firewall? if so what model / ios.
syntax is different depending on what ios your using too.
syntax is different depending on what ios your using too.
ASKER
i need to block from 67.159.60.24-31
this is an asa 5510 (fw)
this is an asa 5510 (fw)
ok
that make it a little different
try
conf t
access-list <aclname> line 1 deny ip 67.159.60.24 255.255.255.248 any
access-group <aclname> in interface <outside interfaces name>
write mem
<outside interfacename> is the nameif of your outside interface
thanks
that make it a little different
try
conf t
access-list <aclname> line 1 deny ip 67.159.60.24 255.255.255.248 any
access-group <aclname> in interface <outside interfaces name>
write mem
<outside interfacename> is the nameif of your outside interface
thanks
ASKER
after the first line i get the following error:
GS-ASA5510-1(config)# access-list 105 line 1 deny ip 67.159.60.29 255.255.255.$
ERROR: IP address,mask <67.159.60.29,255.255.255.
GS-ASA5510-1(config)#
GS-ASA5510-1(config)# access-list 105 line 1 deny ip 67.159.60.29 255.255.255.$
ERROR: IP address,mask <67.159.60.29,255.255.255.
GS-ASA5510-1(config)#
yeah, my mask was off, but its for the range, not single address..
If its a production firewall, I'd prefer theoaks suggestions too..
I've got a PIX, not ASA, so the extended part might not exist on your box..
And the 'line 1' part - I cant say..
use 'theoak's method firstly..
If its a production firewall, I'd prefer theoaks suggestions too..
I've got a PIX, not ASA, so the extended part might not exist on your box..
And the 'line 1' part - I cant say..
use 'theoak's method firstly..
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
awesome, nice catch. thanks.
we shall see what happens now. it looks like a personal ip coming from SC, but geo phys local shows it coming from IL.
i am kinda guessing the guy on whois who has the ip registered is loaded up with spyware and somebody got in and is now slapping me with spam.
we shall see.
thanks a bunch!
-pH
we shall see what happens now. it looks like a personal ip coming from SC, but geo phys local shows it coming from IL.
i am kinda guessing the guy on whois who has the ip registered is loaded up with spyware and somebody got in and is now slapping me with spam.
we shall see.
thanks a bunch!
-pH
ASKER
awesome and quick response.
conf t
access-list <ACLNUMBER> deny ip 67.159.60.22 255.255.255.248 any
int e0
ip access-group <ACLNUM> in
write mem