https://community.cisco.com/t5/network-security/access-list-correct/m-p/1624868#M594241 <HTML><HEAD></HEAD><BODY><P>that is correct</P></BODY></HTML> Fri, 14 Jan 2011 18:11:00 GMT Nagaraja Thanthry 2011-01-14T18:11:00Z https://community.cisco.com/t5/network-security/access-list-correct/m-p/1624863#M594228 <P>Hello everyone!</P><P>I am working on locking down the access to the internet and wanted to do a quick test. Below is my config with the new line of code in <STRONG>bold</STRONG>. I am trying to block specific ports while allowing everything else.</P><P>My question is: "Will this work?"</P><P></P><P><BR />access-list 101 extended permit tcp host 10.1.5.80 any eq smtp<BR />access-list 101 extended permit tcp host 10.1.5.91 any eq smtp<BR />access-list 101 extended permit tcp host 10.1.5.50 any eq smtp<BR />access-list 101 extended deny tcp any any eq smtp<BR /><STRONG>access-list 101 extended deny tcp any any range 1495 - 2597<BR /></STRONG>access-list 101 extended permit ip any any</P><P></P><P></P><P>Thanks,</P><P>Scott</P> Mon, 11 Mar 2019 19:35:19 GMT https://community.cisco.com/t5/network-security/access-list-correct/m-p/1624863#M594228 Scott Payne 2019-03-11T19:35:19Z https://community.cisco.com/t5/network-security/access-list-correct/m-p/1624864#M594230 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>So, the three devices (.80/91/50) are your mail servers that will be talking to external mail servers. Is that correct? Also, what device you are implementing this access-list on? If it is on a dedicated firewall (PIX/ASA), this should work fine. If you are doing it on a router, then you might need to make sure that none of the servers are being contacted by the external clients using source port in the range of <STRONG>1495 - 2597.</STRONG></P><P></P><P>Hope this helps.</P><P></P><P>Regards,</P><P></P><P>NT</P></BODY></HTML> Fri, 14 Jan 2011 17:53:35 GMT https://community.cisco.com/t5/network-security/access-list-correct/m-p/1624864#M594230 Nagaraja Thanthry 2011-01-14T17:53:35Z https://community.cisco.com/t5/network-security/access-list-correct/m-p/1624865#M594231 <HTML><HEAD></HEAD><BODY><P>This is on an ASA 5520. And I am only trying to block a range of ports for testing. Once everything starts to look correct, I was planning to remove the ip any any statement and just add permit statements for the specific ports. I did this range so i could try and break internet messenger as a test. We have no devices utilizing these ports.</P><P>If I am understanding correctly, I see that it should successfully block IM traffic and allow everything else.</P></BODY></HTML> Fri, 14 Jan 2011 17:59:30 GMT https://community.cisco.com/t5/network-security/access-list-correct/m-p/1624865#M594231 Scott Payne 2011-01-14T17:59:30Z https://community.cisco.com/t5/network-security/access-list-correct/m-p/1624866#M594232 <HTML><HEAD></HEAD><BODY><P>If you want to block all the TCP flows with the dst port <STRONG><STRONG>1495 - 2597 :</STRONG></STRONG></P><P></P><P>- remove the "-" between the range</P><P></P><P><STRONG>access-list 101 deny tcp any any range 1495 2597</STRONG></P><P></P><P></P><P>Dan</P></BODY></HTML> Fri, 14 Jan 2011 18:01:53 GMT https://community.cisco.com/t5/network-security/access-list-correct/m-p/1624866#M594232 Dan-Ciprian Cicioiu 2011-01-14T18:01:53Z https://community.cisco.com/t5/network-security/access-list-correct/m-p/1624867#M594239 <HTML><HEAD></HEAD><BODY><P>You might try using NBAR , on the internet router , and drop based on NBAR</P><P>scanning.</P><P></P><P></P><P>Dan</P></BODY></HTML> Fri, 14 Jan 2011 18:05:02 GMT https://community.cisco.com/t5/network-security/access-list-correct/m-p/1624867#M594239 Dan-Ciprian Cicioiu 2011-01-14T18:05:02Z https://community.cisco.com/t5/network-security/access-list-correct/m-p/1624868#M594241 <HTML><HEAD></HEAD><BODY><P>that is correct</P></BODY></HTML> Fri, 14 Jan 2011 18:11:00 GMT https://community.cisco.com/t5/network-security/access-list-correct/m-p/1624868#M594241 Nagaraja Thanthry 2011-01-14T18:11:00Z https://community.cisco.com/t5/network-security/access-list-correct/m-p/1624869#M594243 <HTML><HEAD></HEAD><BODY><P>Thanks! I will give it a shot later today and will et everyone the outcome.</P></BODY></HTML> Fri, 14 Jan 2011 18:12:25 GMT https://community.cisco.com/t5/network-security/access-list-correct/m-p/1624869#M594243 Scott Payne 2011-01-14T18:12:25Z https://community.cisco.com/t5/network-security/access-list-correct/m-p/1624870#M594245 <HTML><HEAD></HEAD><BODY><P>Everything works perfectly!</P><P>Thanks,</P><P>STP</P></BODY></HTML> Fri, 14 Jan 2011 20:11:05 GMT https://community.cisco.com/t5/network-security/access-list-correct/m-p/1624870#M594245 Scott Payne 2011-01-14T20:11:05Z