can't map to win servers after 'virus' acl

ja1064 · ‎06-10-2004

per a Cisco doc on using acls for virus control i added the following to the inbound e0/0 of our router:

access-list 101 deny tcp any any eq smtp log

access-list 101 deny icmp any any echo

access-list 101 deny tcp any any eq 135 log

access-list 101 deny udp any any eq 135 log

access-list 101 deny udp any any eq tftp log

access-list 101 deny udp any any eq netbios-ns log

access-list 101 deny udp any any eq netbios-dgm log

access-list 101 deny tcp any any eq 139 log

access-list 101 deny udp any any eq netbios-ss log

access-list 101 deny tcp any any eq 445 log

access-list 101 deny tcp any any eq 593 log

access-list 101 deny tcp any any eq 4444 log

access-list 101 permit ip any any

now, users can't map to a drive (Netware client) to Windows servers.

How do i maintain protection and still allow folks to get their work done?

What is the port that is preventing this?

tnx in advance

zodell · ‎06-10-2004

If you are trying to connect using the server name you won't be able to because you have NetBIOS blocked with your ACL. Try connecting to the server and the share using the IP address of the server.

Richard Burts · ‎06-10-2004

Your access list denies several ports that are used for various parts of Windows networking, including mapping and sharing drives and resolving names and addresses.

I believe your primary problem is in this line:

access-list 101 deny tcp any any eq 445 log

but these lines could also be part of your problem:

access-list 101 deny tcp any any eq 135 log

access-list 101 deny udp any any eq netbios-ns log

access-list 101 deny udp any any eq netbios-dgm log

access-list 101 deny tcp any any eq 139 log

access-list 101 deny udp any any eq netbios-ss log

My suggestion would be to change the logic. You could insert lines to permit access to the servers you want your users to access, and then do the deny any any. You can make the destination of the permit statements the individual server addresses if there are not too many of them (which would be most secure) or could permit to the subnets where the servers are if there are a large number. You could also think about specifing the source address in the permit statements to identify the places where your users are located.

HTH

Rick