Deny access to an entire CIDR block

Discussion in 'Cisco' started by just1coder, Oct 18, 2004.

  1. just1coder

    just1coder Guest

    Lately my firewall has been getting a lot of traffic from a particular
    ISP trying to connect to TCP 135, and 445. Can I deny access to the
    entire CIDR block?
     
    just1coder, Oct 18, 2004
    #1
    1. Advertisements

  2. yes, all configuration commands are classless.



    Arnold
     
    Arnold Nipper, Oct 18, 2004
    #2
    1. Advertisements

  3. just1coder

    just1coder Guest

    Could you give me an example?
     
    just1coder, Oct 18, 2004
    #3
  4. Why not just use this on an incoming ACL?

    ; Deny some microsoft holes
    deny tcp any any eq 135
    deny udp any any eq 135
    deny tcp any any eq 445
    deny tcp any any eq 593
    ;

    Works for me. Blocks anyone trying those tactics, not just one range.



    Gordon Montgomery
    Living Scriptures, Inc
    (anti spam - replace lsi with livingscriptures)
    (801) 627-2000
     
    Gordon Montgomery, Oct 18, 2004
    #4
  5. just1coder

    S. Gione Guest

    Just1;

    If you do not have ports 135 and/or 445 open to any hosts, you really don't
    have to do anything ... attempts on those ports will be refused by default.
    Adding deny statements won't accomplish anything and the denials will still
    appear in your logs.

    If you do have those ports open and you want to deny the 'perp' any access,
    you can use something like:

    access-list acl_outside deny ip 206.71.63.0 255.255.255.0 any

    Which would block the entire 24-bit network address from any access to any
    ports that you may have open.
     
    S. Gione, Oct 18, 2004
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.