Solved: access-list 104 deny tcp

Thomas Ossman · ‎03-25-2015

I apologize if this is the wrong place to be asking this and if this is something easily searched for. I just got thrown into a Network Administrator position for a small WISP the guy I am replacing did not keep good documentation so I'm dealing with that on top of the fact that I do not have nearly enough experience to be called a Network Admin.

So we have commercial customer who has a few buildings within our service area that we provide a back up Internet connection for as well as private links between their locations, their main Internet feed is provided by Comcast. We help them manage their Cisco routers when they cannot figure something out, the router in question is a 2821. They're having a problem with their phone server's web page being accessible from outside their network, the valid IP address for this phone server is one from Comcast. They had the guy whose position I have been thrown into come out to block that access, he created an access-list on their router and applied it to the interface that Comcast plugs into. From my limited knowledge about access-lists it looks like it should be working but sure enough when I type in the valid IP of their phone server I am taken right to it's welcome page. Below I have included the relevant lines from the running-config on the router as well as the relevant output from "show ip access-lists". Any help would be much appreciated.

From running-config:

interface GigabitEthernet0/1
description Comcast Internet
ip address x.x.x.85 255.255.255.248
ip access-group 104 in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map vpn1

access-list 104 permit udp host 64.136.174.30 eq 5060 host x.x.x.81 eq 5060
access-list 104 permit udp host 64.136.174.31 eq 5060 host x.x.x.81 eq 5060
access-list 104 deny udp any eq 5060 host x.x.x.81 eq 5060
access-list 104 deny tcp any eq www host x.x.x.81 eq www
access-list 104 deny udp any eq 80 host x.x.x.81 eq 80
access-list 104 permit ip any any

Output of show ip access-lists:

Extended IP access list 104
10 permit udp host 64.136.174.30 eq 5060 host x.x.x.81 eq 5060 (7141 matches)
20 permit udp host 64.136.174.31 eq 5060 host x.x.x.81 eq 5060 (7101 matches)
30 deny udp any eq 5060 host x.x.x.81 eq 5060 (466 matches)
40 deny tcp any eq www host x.x.x.81 eq www
50 deny udp any eq 80 host x.x.x.81 eq 80
60 permit ip any any (92626384 matches)

Jon Marshall · ‎03-25-2015

access-list 104 deny tcp any eq www host x.x.x.81 eq www

is that the line that is meant to block traffic ?

If so it won't work because the source port is never port 80 so it doesn't match and then the traffic matches the "permit ip any any" at the end.

It should read -

access-list 104 deny tcp any host x.x.x.81 eq www

you need to remove the other line and add that one.

Note you may or may not need to recreate the whole acl, depends on your IOS.

If you just type in the new line it will add it after last line and so it will never be matched so you need to make sure it is inserted before that line.

If you do have to recreate the acl make sure you have the last line there or you will cut off all internet traffic.

Jon

View solution in original post

Jon Marshall · ‎03-25-2015