Block incoming class C network Pix 501

Discussion in 'Cisco' started by Mark Simons, Jan 27, 2005.

  1. Mark Simons

    Mark Simons Guest

    I would like to block a class C ip address. We have an internal mail server
    and this company is spamming the hell out of us so I want to block their
    entire subnet from contacting our mail server.

    I know I need to use a access-list deny just not sure how to do it.

    The IP class is :

    63.111.25.0

    Any help is much appreciated.
     
    Mark Simons, Jan 27, 2005
    #1
    1. Advertisements

  2. :I would like to block a class C ip address. We have an internal mail server
    :and this company is spamming the hell out of us so I want to block their
    :entire subnet from contacting our mail server.

    :I know I need to use a access-list deny just not sure how to do it.

    :The IP class is :
    :63.111.25.0

    Telnet to the PIX. When prompted for a password, type in the
    regular password (not the enable password). You will be given a
    prompt. At that prompt, give the command enable and at the
    password prompt, type in your enable password. When you get the
    prompt that ends in '#', give the command show access-group
    and look for the line that ends in 'interface outside'. For example,

    access-group acl-outside in interface outside

    The word between 'access-group' and 'in' is the name of the access-list
    that is being used to filter incoming traffic. I will use "TheACL"
    to represent that name in the discussion below.

    If you are running PIX 6.3, then give the command configure terminal
    which will get you to a prompt that includes "(config)". At
    that prompt, type in
    access-list TheACL line 1 deny ip 63.111.25.0 255.255.255.0 any
    then when that has been accepted, type the command exit
    and then the command write memory After that, type in more
    exit commands until you are logged off. Note that the word
    TheACL should be replaced by the name discovered as described above.


    If you are using PIX 6.2, then give the command

    show running | include TheACL

    where TheACL is the name discovered as described above. Highlight
    all of the resulting lines that start with access-list and paste
    those lines into an editor. Then use the editor to put
    access-list TheACL deny ip 63.111.25.0 255.255.255.0 any
    at the beginning of the list. After that, go through and change
    the access list name ("TheACL" in this example) to a new name
    on every line -- for example, you might end up with

    access-list TheNewACL deny ip 63.111.25.0 255.255.255.0 any
    access-list TheNewACL deny ip 192.168.0.0 255.255.0.0 any

    and so on.

    Back on the PIX, give the command configure terminal
    and when you get the prompt that includes "(config)" highlight
    the modified ACL (with the new ACL name throughout!) in your
    editor window and paste it into the PIX telnet session.
    This will have the effect of creating the ACL with the new
    name without touching the previous ACL. Now, still at the
    (config) prompt, give the command

    access-group TheNewACL in interface outside

    where again TheNewACL is the new ACL name you substituted in
    the editor window. This will have the effect of activating
    TheNewACL, but the old ACL will still exist. The step after that is
    to command no access-list TheACL naming the -old- ACL name
    [not the new one!]. This will get rid of the old ACL.
    Once that is done, give the command write memory and then
    type exit commands until you are logged off.


    If you are unable to telnet to your PIX, then you may be able to
    ssh to it. If you do that, then you should tell your ssh command
    that the username to use is 'pix'. For example,

    ssh [email protected]

    If you can't ssh to the PIX either, you may be able to use the
    graphical interface. To try that, go into a web browswer and
    ask to open the url https://192.168.1.1 where 192.168.1.1
    should be replaced by the IP address of the side of the PIX you are
    starting from. If you get a username and password box, leave the
    username box empty and put your regular password in the password
    area (or is it the enable password? I forget.) I am not going to
    give instructions on how to go through the graphical menus to
    configure the access-lists... this message is long enough already.

    If you can't telnet or ssh and you can't access through the graphical
    interface, then you will need to connect through the serial console.
    Use the serial cable that was provided with your PIX and connect
    it to your computer, and go into a terminal program. Use HyperTerm
    if you must, but it's not exactly the best of terminal programs.


    If none of this works... get someone to come over and help you.
     
    Walter Roberson, Jan 27, 2005
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.