cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
465
Views
0
Helpful
4
Replies

ACL for nwebies.

angwe23
Level 1
Level 1

I, unfortunately, don't have the luxury of training myself in Cisco, nor of reading anything in-depth. While the IOS manual clearly states how to create and apply ACLs, I need some help on where to apply them, and how not to cut my entire building off when I apply them to the border router.

Specifically, I'm looking to deny any inbound tcp to the 135-139/netbios and 445/w2k-netbios ports.

I'm doing this on a 2600 series router with IOS 12.2.

Can someone help me, or point me to a useful link?

Thanks.

-Robby

1 Accepted Solution

Accepted Solutions

gfullage
Cisco Employee
Cisco Employee

Assuming your outside interface is say, Serial0, you'd do the following:

access-list 100 deny tcp any any range 135 139

access-list 100 deny tcp any any eq 445

access-list 100 permit ip any any

interface Serial0

ip access-group 100 in

If you want to be more specific and just block those ports going to your specific inside subnet (say it's 100.1.1.0/24), then just replace the 2nd "any" in each line with "100.1.1.0 0.0.0.255"

Keep in mind that some Netbios traffc is UDP, so you might want to block that also, simply by adding another access-list line in similar to what I've shown but with "udp" instead of "tcp".

View solution in original post

4 Replies 4

gfullage
Cisco Employee
Cisco Employee

Assuming your outside interface is say, Serial0, you'd do the following:

access-list 100 deny tcp any any range 135 139

access-list 100 deny tcp any any eq 445

access-list 100 permit ip any any

interface Serial0

ip access-group 100 in

If you want to be more specific and just block those ports going to your specific inside subnet (say it's 100.1.1.0/24), then just replace the 2nd "any" in each line with "100.1.1.0 0.0.0.255"

Keep in mind that some Netbios traffc is UDP, so you might want to block that also, simply by adding another access-list line in similar to what I've shown but with "udp" instead of "tcp".

Thank you very much.

That's exactly what I needed.

Do you all know a place to get more implementation oriented information about IOS?

The manuals are all I can find.

-Robby

Get the ICND book its great for the basics and getting to grips with the real world.

By the way are you in a completely W2K environment?

What does ICND stand for? (Sorry, I'm REALLY new at this and have no real choice but to suddenly be good at it.)

No. We're in a mixed 9x/NT/2k environment. Why?

-Robby