• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Cisco PIX Question

SaigonK

SaigonK

Diamond Member
Awhile back I had created an object-group to block outgoing access to a set of IP's:


object-group network Tecent
network-object 61.144.238.145 255.255.255.255
network-object 61.144.238.146 255.255.255.255
network-object 202.104.129.251 255.255.255.255
network-object 202.104.129.254 255.255.255.255
network-object 61.141.194.203 255.255.255.255
network-object 202.104.129.252 255.255.255.255
network-object 202.104.129.253 255.255.255.255
network-object 218.17.217.106 255.255.255.255
network-object 219.133.40.95 255.255.255.255
network-object 219.133.40.97 255.255.255.255
network-object 219.133.40.157 255.255.255.255
network-object 219.133.40.177 255.255.255.255
network-object 219.133.40.73 255.255.255.255
network-object 219.133.40.189 255.255.255.255
network-object 218.18.95.153 255.255.255.255
network-object 218.17.209.23 255.255.255.255
network-object 218.17.209.42 255.255.255.255
network-object 219.133.49.6 255.255.255.255
network-object 218.18.95.165 255.255.255.255
network-object 219.133.38.132 255.255.255.255


Now I am getting ready to add my access-list and wanted to see if this might be the best possible way. here is my intended syntax:

access-list outside_access line 3 deny tcp any any Tecent
access-list outside_access line 3 deny udp any any Tecent

Basically i am looking to block that entire group of Ip's from being access by my internal hosts...

It looks good to me, but anyone care to comment?
 
I dislike using groups simply because they confuse an otherwise clean ACL entry. I simply use remark statements and put the ACL entries below that. Groups also expand into their respective single ACL entries once processed by the PIX anyway. Just use the following:

access-list outside_access remark <descriptive text>
 
I on the other hand find many uses for object groups.. and they can be organized to be as clean or better than just straight ACLs


Yours:
access-list outside_access line 3 deny tcp any any Tecent
access-list outside_access line 3 deny udp any any Tecent

Obviously specifying the line number would indicate that there is a certain point in the ACL you want to insert these entries.. The any any portion is the source and destination. Where the destination should probably be the object group if I am reading what you want to do right.


access-list outside_access line 3 deny tcp any Tecent
access-list outside_access line 3 deny udp any Tecent
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top