Urgent Virus Issue > Block IP Address

we've got a virus infection and it keeps reinstalling a remote management tool , I've used some monitoring tools and can see it's trying to communicate with the public IP, I assumed i'd be able to block this by putting in :

access-list in2out deny ip any host access-list in2out permit ip any any access-list in2out permit icmp any any access-group in2out in interface inside

I thought the above lines would resolve it , but I can still see the virus communicating with that IP address both in and outbound

Anybody have any ideas what i've missed?

Reply to
Loading thread data ...

How about where you applied it, on what interface and in what direction?

Reply to
Brian V

I've read through this

formatting link
can't see where I could have gone wrong

Anybody got any ideas?

Reply to

paul snipped-for-privacy@hotmail.com a écrit :

If there's an active "xlate" for the infected host(s), new access-lists won't take effect.

Try issuing a "clear xlate local x.x.x.x" where x.x.x.x is the ip address of the infected host(s). If you do not have mission critical traffic through your pix (including the vpn tunnel you're currently using to access it!), you can just "clear xlate". This will kill all current connections and force new ones to be rebuilt using the new in2out access-list.

Reply to
Francois Labreque

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.