Solved: Control TCP & UDP connections including HOST thru ACL

markp · ‎08-17-2004

Hi!

I use ACLs to control TCP & UDP connections passes thru my router (C805 & C2500). I am planning to control by host but after I've created a new ACL that and add it on IP Access-Group of my Serial interface, the acl that I add before which is used to control TCP & UDP connections is being removed since it only need one ACL. How can i manage this?

Richard Burts · ‎08-19-2004

What you have is one standard access list which would block anything with a source address of 127.0.0.1 and one extended access list which denies several types of traffic.

To combine them I would rewrite the standard access list as an extended access list:

access-list 100 deny ip host 127.0.0.1 any

which will deny any packet with a source address of 127.0.0.1.

I would put the rewritten statement as the first statement in the new access list followed by the others which would give you this:

access-list 100 remark deny the specific host

access-list 100 deny ip host 127.0.0.1 any

access-list 100 remark block various TCP and UDP ports

access-list 100 permit tcp any any eq www

access-list 100 permit tcp any any established

access-list 100 deny tcp any any eq 135

access-list 100 deny tcp any any eq 445

access-list 100 deny tcp any any eq 593

access-list 100 deny udp any any eq 135

access-list 100 deny udp any any eq tftp

access-list 100 deny udp any any eq netbios-ns

access-list 100 permit ip any any

That should do it.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎08-18-2004

You are correct that Cisco router interfaces can specify only one ip access-group in and only one ip access-group out. You can not have two different access lists active on the same interface in the same direction at the same time.

What you can do is to create an access list that combines the statements of the two lists in a single list. Watch carefully the sequence of statements when you combine the lists and remember that access lists are processed in sequential order till it finds a match and then the access list processing stops and does not look for any other statements.

HTH

Rick

HTH

Rick

markp · ‎08-18-2004

Thanks for the reply Rick!

Can you help me do this? I am new to this "router configuration". Here is the sample ACL that I made. How can I combine this two ACL in one?

*ACL to block a host:

access-list 1 deny 127.0.0.1

*ACL to block TCP and UDP Ports

access-list 100 permit tcp any any eq www

access-list 100 permit tcp any any established

access-list 100 deny tcp any any eq 135

access-list 100 deny tcp any any eq 445

access-list 100 deny tcp any any eq 593

access-list 100 deny udp any any eq 135

access-list 100 deny udp any any eq tftp

access-list 100 deny udp any any eq netbios-ns

access-list 100 permit ip any any

spremkumar · ‎08-18-2004

Hi

u can try out this ... it shuld work fine...

access-list 100 deny tcp any any eq 135

access-list 100 deny tcp any any eq 445

access-list 100 deny tcp any any eq 593

access-list 100 deny udp any any eq 135

access-list 100 deny udp any any eq tftp

access-list 100 deny udp any any eq netbios-ns

access-list 100 deny 127.0.0.1

access-list 100 permit tcp any any eq www

access-list 100 permit tcp any any established

access-list 100 permit ip any any

do revert if u face any probs ..

regds

markp · ‎08-18-2004

thanks for the reply but this cant be possible. you will have an unrecognized command if you do this line since you need a protocol before the host.

Richard Burts · ‎08-19-2004

What you have is one standard access list which would block anything with a source address of 127.0.0.1 and one extended access list which denies several types of traffic.

To combine them I would rewrite the standard access list as an extended access list:

access-list 100 deny ip host 127.0.0.1 any

which will deny any packet with a source address of 127.0.0.1.

I would put the rewritten statement as the first statement in the new access list followed by the others which would give you this:

access-list 100 remark deny the specific host

access-list 100 deny ip host 127.0.0.1 any

access-list 100 remark block various TCP and UDP ports

access-list 100 permit tcp any any eq www

access-list 100 permit tcp any any established

access-list 100 deny tcp any any eq 135

access-list 100 deny tcp any any eq 445

access-list 100 deny tcp any any eq 593

access-list 100 deny udp any any eq 135

access-list 100 deny udp any any eq tftp

access-list 100 deny udp any any eq netbios-ns

access-list 100 permit ip any any

That should do it.

HTH

Rick

HTH

Rick

markp · ‎08-19-2004

Thanks for that. I already include that on my config and monitor if it can plock this host. Will keep you inform.