Re: Need help closing port 161 (snmp) cisco 3640

g-padilla · ‎07-05-2005

I've been working on this for a few days and for some reason i cant seem to be able to block port 161.

I'm able to block port 162 with no problem.

I have an access-group 198 on my fa0/0.988

and have the following access list

access-list 198 deny udp any any eq 161

access-list 198 deny icmp any any timestamp-request

access-list 198 deny icmp any any timestamp-reply

access-list 198 deny 53 any any

access-list 198 deny 55 any any

access-list 198 deny 77 any any

access-list 198 deny pim any any

access-list 198 permit ip any any

froggy3132000 · ‎07-05-2005

Are you trying to block snmp requests to the router? or any snmp requests that crosses that interface?

g-padilla · ‎07-05-2005

I'm trying to block snmp requests from the outside world to the router ip.

Richard Burts · ‎07-05-2005

A few questions may clarify the situation and help us identify the issue:

- is the Access List applied inbound or outbound on the interface? (that will determine whether 161 is the source port or destination port)

- are you sure that SNMP requests are getting through this interface with the access list applied? Is it possible that SNMP is getting through some other interface instead?

- if you are sure that SNMP is getting through this interface, it might help to change the last line to permit ip any any log. This will generate log messages which might help identify the inconsistency.

HTH

Rick

HTH

Rick

froggy3132000 · ‎07-05-2005

Start at the snmp level with

snmp-server community ***** ro 5

5 being the access-list that permits and denies ip from accessing the router via snmp.

Ex.

access-list 5 permit 172.16.12.8

access-list 5 deny 172.16.12.9

access-list 5 deny any log