Hi,
I'm a bit of a novice with Pix's so please bear with me - I'm not sure
why this happens and would really appreciate it if somebody could shed
some light on this. First, the background information - The
environment here is just a simple network with a 515E Pix box. We're
running Citrix (xx.xxx.186.83), PCAnywhere(xx.xxx.186.85), and
Exchange OWA (xx.xxx.186.84) - Here are the Access List entries:

access-list acl-outside permit tcp any host xx.xxx.186.83 eq
citrix-ica
access-list acl-outside permit tcp any host xx.xxx.186.84 eq smtp
access-list acl-outside permit tcp any host xx.xxx.186.84 eq https
access-list acl-outside permit tcp any host xx.xxx.186.84 eq www
access-list acl-outside permit tcp any host xx.xxx.186.85 eq
pcanywhere-data
access-list acl-outside permit tcp any host xx.xxx.186.85 eq 5632

Everything works fine initially by the way - What I WANT TO DO is
this: We've been getting a steady stream of virus' from a certain
range of IP addresses:

namely these guys (True IP's by the way) ...

NetRange: 12.172.164.0 - 12.172.167.255
CIDR: 12.172.164.0/22

So I was hoping to block these at the pix. I was HOPING to use this
entry

access-list acl-outside deny tcp 12.172.164.0 255.255.255.0 host
xx.xxx.186.84 smtp

What happens after I make this entry is that all attempts of traffic
coming in (whether it be Citrix, PCAnywhere, Smtp, OWA) - All this
gets blocked. Even after I make an entry saying
'NO acl-outside deny tcp 12.172.164.0 255.255.255.0 host xx.xxx.186.84
smtp'
i.e. taking the entry out. It STILL GETS BLOCKED. Even though when I
do a 'Write Terminal', it doesn't show the entry anymore. I have to
literally reset the box (because I don't save the configuration) so
that it resets to the original access-list entries.

Again, any input would be appreciated if you have the time to jot a
message to me or have any ideas to point me where I'm going wrong.

In article <4f8b24ce.0404050952.9571c31@posting.google.com> ,
Erik <erikk7@yahoo.com> wrote:

[snip]

[snip]

try:

access-list acl-outside deny tcp 12.172.164.0 0.0.0.255 host xxx.xxx.186.84 smtp


In other words - reverse the mask you are using on the source address.

Darin

In article <4f8b24ce.0404050952.9571c31@posting.google.com> ,
Erik <erikk7@yahoo.com> wrote:

[snip]

argh, you want to block a /22 block, so instead use 0.0.3.255 as the
source mask. ;-)

access-list acl-outside deny tcp 12.172.164.0 0.0.3.255 host xxx.xxx.186.84 smtp

Darin

From the PIX documentation on access-list ...

"Remember that you specify a network mask differently than with the Cisco
IOS software access-list
command. With PIX Firewall, use 255.0.0.0 for a Class A address, 255.255.0.0
for a Class B
address, and 255.255.255.0 for a Class C address. If you are using a
subnetted network address, use
the appropriate network mask."

Don Woodward


"Darin Wayrynen" <darin@deru.net> wrote in message
newsFmcc.12505481$Of.2087738@news.easynews.com.. .

You should try a clear xlate . I think I remember reading this a while back.

Tim

erikk7@yahoo.com (Erik) wrote in message news:<4f8b24ce.0404050952.9571c31@posting.google.c om>...

You guys are so great for replying to me. I honestly do appreciate it.
I will test out your ideas and report back what happened - Thanks
again -


timo@theglens.net (timo) wrote in message news:<5a033f8c.0404051818.6b16c8bf@posting.google. com>...

"Darin Wayrynen" <darin@deru.net> wrote in message
news:NImcc.12415630$Id.2073999@news.easynews.com.. .
Guys,

The PIX Firewall DOES NOT use inverse masks in ACL's so just use the correct
subnet mask.

Teggs

I just wanted to make a follow-up post - Thank you for all your help
and responses - We eventually just went the route of getting a spam
filter (Open Relay Filter) - It filters out spam via blackslists and
you can also filter out emails by IP range (my original question) -
Since we've had so much spam lateley, I figured we'd get 2 birds with
one stone. It seems to work very well - Thanks again