Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
464
Views
0
Helpful
4
Replies

ACL for nwebies.

Go to solution
angwe23
Level 1
Level 1

‎11-21-2002 05:24 PM - edited ‎02-20-2020 09:19 PM

I, unfortunately, don't have the luxury of training myself in Cisco, nor of reading anything in-depth. While the IOS manual clearly states how to create and apply ACLs, I need some help on where to apply them, and how not to cut my entire building off when I apply them to the border router.

Specifically, I'm looking to deny any inbound tcp to the 135-139/netbios and 445/w2k-netbios ports.

I'm doing this on a 2600 series router with IOS 12.2.

Can someone help me, or point me to a useful link?

Thanks.

-Robby

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎11-21-2002 05:37 PM

Assuming your outside interface is say, Serial0, you'd do the following:

access-list 100 deny tcp any any range 135 139

access-list 100 deny tcp any any eq 445

access-list 100 permit ip any any

interface Serial0

ip access-group 100 in

If you want to be more specific and just block those ports going to your specific inside subnet (say it's 100.1.1.0/24), then just replace the 2nd "any" in each line with "100.1.1.0 0.0.0.255"

Keep in mind that some Netbios traffc is UDP, so you might want to block that also, simply by adding another access-list line in similar to what I've shown but with "udp" instead of "tcp".

View solution in original post

0 Helpful
4 Replies 4

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎11-21-2002 05:37 PM

Assuming your outside interface is say, Serial0, you'd do the following:

access-list 100 deny tcp any any range 135 139

access-list 100 deny tcp any any eq 445

access-list 100 permit ip any any

interface Serial0

ip access-group 100 in

If you want to be more specific and just block those ports going to your specific inside subnet (say it's 100.1.1.0/24), then just replace the 2nd "any" in each line with "100.1.1.0 0.0.0.255"

Keep in mind that some Netbios traffc is UDP, so you might want to block that also, simply by adding another access-list line in similar to what I've shown but with "udp" instead of "tcp".

0 Helpful

Go to solution
angwe23
Level 1
Level 1
In response to gfullage

‎11-22-2002 12:22 PM

Thank you very much.

That's exactly what I needed.

Do you all know a place to get more implementation oriented information about IOS?

The manuals are all I can find.

-Robby

0 Helpful

Go to solution
wynneit
Level 1
Level 1
In response to angwe23

‎11-24-2002 03:12 PM

Get the ICND book its great for the basics and getting to grips with the real world.

By the way are you in a completely W2K environment?

0 Helpful

Go to solution
angwe23
Level 1
Level 1
In response to wynneit

‎11-25-2002 09:46 AM

What does ICND stand for? (Sorry, I'm REALLY new at this and have no real choice but to suddenly be good at it.)

No. We're in a mixed 9x/NT/2k environment. Why?

-Robby

0 Helpful
Customers Also Viewed These Support Documents