Re: Port 135 Blocking on Pix 501

gsp · ‎09-05-2003

We're trying to block inbound and outbound port 135 traffic at one of our sites. When we add the below we block inbound 135 traffic but PCs on the inside can still send traffic out on 135. Any ideas what we need to add or remove?

Thanks

Eric

access-list outside_access_in permit icmp any any echo-reply

access-list outside_access_in permit icmp any any unreachable

access-list outside_access_in deny tcp any eq 135 any eq 135

access-list inside_access_in deny tcp any eq 135 any eq 135

access-list inside_access_in permit ip any any

.

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

mostiguy · ‎09-05-2003

That is because your access lists specify 135 as the source port. You want you only specify 135 as the destination port:

access-list outside_access_in permit icmp any any echo-reply

access-list outside_access_in permit icmp any any unreachable

access-list outside_access_in deny tcp any any eq 135

access-list inside_access_in deny tcp any any eq 135

access-list inside_access_in permit ip any any

BTW, if you are worried about MS issues, you probably want to think about filtering 445, 137, 138 and 139. 135 is the chattiest port, but you can do filesharing if both sides allow communication to 445