Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
908
Views
15
Helpful
7
Replies

Access-list correct?

Go to solution
Scott Payne
Level 1
Level 1

‎01-14-2011 09:47 AM - edited ‎03-11-2019 12:35 PM

Hello everyone!

I am working on locking down the access to the internet and wanted to do a quick test. Below is my config with the new line of code in bold. I am trying to block specific ports while allowing everything else.

My question is: "Will this work?"


access-list 101 extended permit tcp host 10.1.5.80 any eq smtp
access-list 101 extended permit tcp host 10.1.5.91 any eq smtp
access-list 101 extended permit tcp host 10.1.5.50 any eq smtp
access-list 101 extended deny tcp any any eq smtp
access-list 101 extended deny tcp any any range 1495 - 2597
access-list 101 extended permit ip any any

Thanks,

Scott

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Dan-Ciprian Cicioiu
Level 7
Level 7

‎01-14-2011 10:01 AM

If you want to block all the TCP flows with the dst port 1495 - 2597 :

- remove the "-" between the range

access-list 101 deny tcp any any range 1495 2597

Dan

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎01-14-2011 09:53 AM

Hello,

So, the three devices (.80/91/50) are your mail servers that will be talking to external mail servers. Is that correct? Also, what device you are implementing this access-list on? If it is on a dedicated firewall (PIX/ASA), this should work fine. If you are doing it on a router, then you might need to make sure that none of the servers are being contacted by the external clients using source port in the range of 1495 - 2597.

Hope this helps.

Regards,

NT

Go to solution
Scott Payne
Level 1
Level 1
In response to Nagaraja Thanthry

‎01-14-2011 09:59 AM

This is on an ASA 5520. And I am only trying to block a range of ports for testing. Once everything starts to look correct, I was planning to remove the ip any any statement and just add permit statements for the specific ports. I did this range so i could try and break internet messenger as a test. We have no devices utilizing these ports.

If I am understanding correctly, I see that it should successfully block IM traffic and allow everything else.

0 Helpful

Go to solution
Dan-Ciprian Cicioiu
Level 7
Level 7
In response to Scott Payne

‎01-14-2011 10:05 AM

You might try using NBAR , on the internet router , and drop based on NBAR

scanning.

Dan

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to Scott Payne

‎01-14-2011 10:11 AM

that is correct

Go to solution
Dan-Ciprian Cicioiu
Level 7
Level 7

‎01-14-2011 10:01 AM

If you want to block all the TCP flows with the dst port 1495 - 2597 :

- remove the "-" between the range

access-list 101 deny tcp any any range 1495 2597

Dan

0 Helpful

Go to solution
Scott Payne
Level 1
Level 1
In response to Dan-Ciprian Cicioiu

‎01-14-2011 10:12 AM

Thanks! I will give it a shot later today and will et everyone the outcome.

0 Helpful

Go to solution
Scott Payne
Level 1
Level 1
In response to Scott Payne

‎01-14-2011 12:11 PM

Everything works perfectly!

Thanks,

STP

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card