10-25-2010 06:34 AM - edited 03-11-2019 11:59 AM
I have a need to block a large number of noncontigous tcp and udp ports for all hosts on the inbound side. An example iI saw in O'reilly says that I can do this. with one command line, i.e. "access-list 111 deny tcp any any eq 23 79 509 3888". I'm running 12.4(24)T4. will this accually work?
Solved! Go to Solution.
10-25-2010 09:40 AM
That is going to work fine.
An alternative would be to use an object group that had all the ports you want.
I hope it helps.
PK
10-25-2010 09:44 AM
If it works, please mark the question as answered for future users to benefit.
Regards,,
PK
11-01-2010 03:02 PM
1. You can do either.
ip access-list extended
permit tcp ...
or
access-list 101 permit tcp ....
2. You indeed need separate ipv6 and ipv4 ACLs. Both are applied on the interface. The syntax for ipv6 changes a little but it is mostly the same with the ipv6 in front of the command. If the router doesn't have ipv6 routing enabled, don't even worry about ipv6 as it is not going to route it.
I hope it helps.
PK
10-25-2010 07:12 AM
Hello Manuel,
Thanks a lot for posting, yes, that will work, it is just permitting the traffic using a range of ports. The only thing is that it will use the range keyword and they will be 2 different ACE's
access-list 111 deny tcp any any range 23 79
access-list 111 deny tcp any any range 509 3888
Hope it helps
Mike
10-25-2010 09:02 AM
Mike,
Thanks, but not quite what I had in mind. I need to block individual ports not a range. I'm trying to see if I can get away without doing a line for each port.
I did some more reasearch and I think the answer is to use the command sequence
config t
ip address-list extended [name]
deny tcp any any eq 23 79 509 3888
end
I would like to know if anyone has tried this and if it did or did not work
Thanks
Manny
10-25-2010 09:40 AM
That is going to work fine.
An alternative would be to use an object group that had all the ports you want.
I hope it helps.
PK
10-25-2010 09:42 AM
PK,
Thanks, I'll give it a shot.
Manny
10-25-2010 09:44 AM
If it works, please mark the question as answered for future users to benefit.
Regards,,
PK
11-01-2010 01:17 PM
A couple of follow-on questions about access lists.
1. When using the ACCESS-LIST EXTENDED command to permit or deny noncontiguous ports, may I use an access-list-number from the appropriate range, or must I use an alpha-numeric address-list-name?
2. I must permit and deny both IPV4 and IPV6 services. How do I do that if I can only use one access list per direction per port? The on-line documentation appears to say that I need a separate ipv6 access-list and ipv6 access-class.
Thanks in advance for any help you can provide.
Manny
11-01-2010 03:02 PM
1. You can do either.
ip access-list extended
permit tcp ...
or
access-list 101 permit tcp ....
2. You indeed need separate ipv6 and ipv4 ACLs. Both are applied on the interface. The syntax for ipv6 changes a little but it is mostly the same with the ipv6 in front of the command. If the router doesn't have ipv6 routing enabled, don't even worry about ipv6 as it is not going to route it.
I hope it helps.
PK
11-02-2010 05:57 AM
Thanks.
Another follow-on, since I have one chance to get this right.
I assume that using the access-class [name] in and ipv6 access-class [name] in commands on an interface that both will be checked. Is this correct?
For example
interface serial 0/0
access-class [name] in
ipv6 access-class [name] in
! or
ipv6 traffic-filter [name] in
I'm assuming I can't use both.
Is search order, i.e ipv4 - ipv6 or the inverse preferable?
Thanks in advance.
Manny
11-02-2010 09:58 AM
It is not the order. It is the packet rather.
If the packet hitting the interface is ipv6 that will be routed based on ipv6 it will be subject to the ipv6 ACL, the ipv4 if it is an ipv4 packet.
Rgs,
PK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide