How To DENY an Address

Hi All..

I have a pix 515-r.

I want to block all traffic from a specific (outside) IP address to one of our (DMZ address) servers.What would the access-list statement look like?

Thank you!

Reply to
nickjax01
Loading thread data ...

Hi All..

I have a pix 515-r.

I want to block all traffic from a specific (outside) IP address to one of our (DMZ address) servers.What would the access-list statement look like?

Thank you!

Reply to
nickjax01

Hi All..

I have a pix 515-r.

I want to block all traffic from a specific (outside) IP address to one of our (DMZ address) servers.What would the access-list statement look like?

Thank you!

Reply to
nickjax01

If you apply an access-list over the outside interface, there will be an implicit DENY at the end of it. So, basically, PIX will deny everything that you don't "allow" into the access-list.

Reply to
Chino

Ok, ..but here's my situation. I want to block 1 IP from hitting my DNS server. So since I have an ACL that allows any host to hit my dns server on the dns port, how would I go about blocking 1 IP address?

Thanks.

Reply to
nickjax01

Put the deny before the permit in the ACL.

Reply to
alexd

Ok..but can you please provide what the statement would look like? I tried putting in a deny statement and the DNS requests were still hitting my server. So I figured I'm entering it incorrectly. If the outside IP is 000.000.000.000 and my server is XXX.XXX.XXX.XXX, what should the deny statement be?

Thanks a lot!!

Reply to
nickjax01

Ok..but can you please provide what the statement would look like? I tried putting in a deny statement and the DNS requests were still hitting my server. So I figured I'm entering it incorrectly. If the outside IP is 000.000.000.000 and my server is XXX.XXX.XXX.XXX, what should the deny statement be?

Thanks a lot!!

Reply to
nickjax01

access-list WHATEVER deny udp host 000.000.000.000 host XXX.XXX.XXX.XXX eq domain

and then

access-list WHATEVER permit udp any host XXX.XXX.XXX.XXX eq domain

You may want to allow/deny DNS access on the same port over the TCP protocol too if you plan to permit/prevent zones from being tranferred.

Reply to
Chino

Thanks!!

Reply to
nickjax01

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.