How To DENY an Address

Discussion in 'Cisco' started by nickjax01@gmail.com, May 28, 2009.

  1. Guest

    Hi All..

    I have a pix 515-r.

    I want to block all traffic from a specific (outside) IP address to
    one of our (DMZ address) servers.What would the access-list statement
    look like?

    Thank you!
    , May 28, 2009
    #1
    1. Advertising

  2. Chino Guest

    > I want to block all traffic from a specific (outside) IP address to
    > one of our (DMZ address) servers.What would the access-list statement
    > look like?


    If you apply an access-list over the outside interface, there will be an
    implicit DENY at the end of it.
    So, basically, PIX will deny everything that you don't "allow" into the
    access-list.
    Chino, May 29, 2009
    #2
    1. Advertising

  3. Guest

    On May 29, 6:39 am, "Chino" <> wrote:
    > > I want to block all traffic from a specific (outside) IP address to
    > > one of our (DMZ address) servers.What would the access-list statement
    > > look like?

    >
    > If you apply an access-list over the outside interface, there will be an
    > implicit DENY at the end of it.
    > So, basically, PIX will deny everything that you don't "allow" into the
    > access-list.



    Ok, ..but here's my situation. I want to block 1 IP from hitting my
    DNS server. So since I have an ACL that allows any host to hit my dns
    server on the dns port, how would I go about blocking 1 IP address?

    Thanks.
    , May 29, 2009
    #3
  4. alexd Guest

    wrote:

    > I want to block 1 IP from hitting my DNS server. So since I have an ACL
    > that allows any host to hit my dns server on the dns port, how would I go
    > about blocking 1 IP address?


    Put the deny before the permit in the ACL.

    --
    <http://ale.cx/> (AIM:troffasky) ()
    14:47:28 up 22 days, 18:09, 1 user, load average: 0.14, 0.13, 0.09
    A few flakes working together can unleash an avalanche of destruction
    alexd, May 29, 2009
    #4
  5. Guest

    On May 29, 9:48 am, alexd <> wrote:
    > wrote:
    > > I want to block 1 IP from hitting my DNS server.  So since I have an ACL
    > > that allows any host to hit my dns server on the dns port, how would I go
    > > about blocking 1 IP address?

    >
    > Put the deny before the permit in the ACL.
    >
    > --
    >  <http://ale.cx/> (AIM:troffasky) ()
    >  14:47:28 up 22 days, 18:09,  1 user,  load average: 0.14, 0.13, 0.09
    >  A few flakes working together can unleash an avalanche of destruction


    Ok..but can you please provide what the statement would look like? I
    tried putting in a deny statement and the DNS requests were still
    hitting my server. So I figured I'm entering it incorrectly. If the
    outside IP is 000.000.000.000 and my server is XXX.XXX.XXX.XXX, what
    should the deny statement be?

    Thanks a lot!!
    , May 29, 2009
    #5
  6. Guest

    On May 29, 9:48 am, alexd <> wrote:
    > wrote:
    > > I want to block 1 IP from hitting my DNS server.  So since I have an ACL
    > > that allows any host to hit my dns server on the dns port, how would I go
    > > about blocking 1 IP address?

    >
    > Put the deny before the permit in the ACL.
    >
    > --
    >  <http://ale.cx/> (AIM:troffasky) ()
    >  14:47:28 up 22 days, 18:09,  1 user,  load average: 0.14, 0.13, 0.09
    >  A few flakes working together can unleash an avalanche of destruction


    Ok..but can you please provide what the statement would look like? I
    tried putting in a deny statement and the DNS requests were still
    hitting my server. So I figured I'm entering it incorrectly. If the
    outside IP is 000.000.000.000 and my server is XXX.XXX.XXX.XXX, what
    should the deny statement be?

    Thanks a lot!!
    , May 29, 2009
    #6
  7. Chino Guest


    >Ok..but can you please provide what the statement would look like? I
    >tried putting in a deny statement and the DNS requests were still
    >hitting my server. So I figured I'm entering it incorrectly. If the
    >outside IP is 000.000.000.000 and my server is XXX.XXX.XXX.XXX, what
    >should the deny statement be?


    access-list WHATEVER deny udp host 000.000.000.000 host XXX.XXX.XXX.XXX eq
    domain

    and then

    access-list WHATEVER permit udp any host XXX.XXX.XXX.XXX eq domain


    You may want to allow/deny DNS access on the same port over the TCP protocol
    too if you plan to permit/prevent zones from being tranferred.
    Chino, May 29, 2009
    #7
  8. Guest

    On May 29, 11:02 am, "Chino" <> wrote:
    > >Ok..but can you please provide what the statement would look like?  I
    > >tried putting in a deny statement and the DNS requests were still
    > >hitting my server.  So I figured I'm entering it incorrectly.  If the
    > >outside IP is 000.000.000.000 and my server is XXX.XXX.XXX.XXX, what
    > >should the deny statement be?

    >
    > access-list WHATEVER deny udp host 000.000.000.000 host XXX.XXX.XXX.XXX eq
    > domain
    >
    > and then
    >
    > access-list WHATEVER permit udp any host XXX.XXX.XXX.XXX eq domain
    >
    > You may want to allow/deny DNS access on the same port over the TCP protocol
    > too if you plan to permit/prevent zones from being tranferred.


    Thanks!!
    , May 29, 2009
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mark Matheney
    Replies:
    1
    Views:
    847
  2. Replies:
    3
    Views:
    525
    Drake
    Feb 1, 2007
  3. Replies:
    0
    Views:
    383
  4. Replies:
    1
    Views:
    431
    denz2376
    Jun 16, 2009
  5. stephan
    Replies:
    3
    Views:
    2,269
Loading...

Share This Page