Solved: Re: ACL question

rolandshum · ‎12-27-2005

I'm considering putting this ACL on the inside interface to prevent the following ports from going out to the 'net. I don't want to interrupt the other IP traffic and was hoping for just a sanity check to make sure I'm doing this one right. I'd hate to mess up my inside interface.

access-list 130 deny tcp any any eq 135

access-list 130 deny udp any any eq 135

access-list 130 deny udp any any eq netbios-ns

access-list 130 deny udp any any eq netbios-dgm

access-list 130 deny tcp any any eq 138

access-list 130 deny tcp any any eq netbios-ssn

access-list 130 deny tcp any any eq 445

access-list 130 deny tcp any any eq 593

access-list 130 deny tcp any any range 3127 3199

access-list 130 permit ip any any

I'm not sure if I should put the "permit ip any any" at the end of the ACL or at the begining.

jackko · ‎12-27-2005

the entry permitting any any must be placed at the end of the acl, as the acl works in order.

View solution in original post

jackko · ‎12-27-2005

the entry permitting any any must be placed at the end of the acl, as the acl works in order.

rolandshum · ‎12-27-2005

Thanks I'll be implimenting that this week. I was afraid that if I put the any any at the end it would just negate all the previous lines.

szmolnar80 · ‎08-10-2011

Hi!

can someone help me and explain what I'm doing wrong by setting up ACL's?

It semms that on my SG 300-52 the following setup blocks all acces on port 3 instead of blocking only for MAC xx:xx:xx:xx:5f:b6

many thanks in advance!