cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2048
Views
0
Helpful
8
Replies

Close all Ports except one.

osaid suliebi
Level 1
Level 1

Dear

i have router 881 with 1 wan and 4 LAN ports, i assigned IP for wan port (ISP config /30 (for internet)) , ISP provided me range of real IP (for internet using), i assigned one real ip (from my range from ISP ) to VLAN1 interface, and i connected one workstation to one of LAN port and assigned this workstation real ip (also from my range from ISP) , so i can connect to the workstation directly by using the real ip of this workstation (the gateway of workstation is the real ip of vlan1 interface).

how can i close all ports to workstation except the 3389??

With Regards to all..

8 Replies 8

Mark Malone
VIP Alumni
VIP Alumni

I wouldn't have used a public ip on the vlan 1 interface , you should really use a private range and use NAT overload  or you wont be able to expand in the future

if you want to block all ports but rdp use an acl first allow the rdp to your device then block all other tcp connection to it

access-list 100 permit tcp any host x.x.x.x eq 3389

access-list 100 deny tcp any any

then apply the acl to the vlan interface

int vlan 1

access-group 100 in

Many thanks mark, i set acl as above but after i applied the acl in vlan1 interface (in) , i became not able to access to any ports in my workstation , when i canceled the acl to vlan 1 , i can do..

your advice,,

ok maybe it needs return traffic too , the first line says allow any subnet/host to speak to your host using only TCP port 3389 RDP , second line blocks all other tcp traffic deny to anyone from anywhere

can you post what you have configured if its still not working and check does the acl get hit with show ip access-list 100

access-list 100 permit tcp any host x.x.x.x eq 3389

access-list 100 permit tcp host x.x.x.x any eq 3389

access-list 100 deny tcp any any

Configuration:

config
from terminal, memory, or network [terminal]?
guration commands, one per line. End with CNTL/Z.
config)#access-list 100 permit tcp any host (real IP of my workstation) eq 3389
config)#access-list 100 permit tcp host (real IP of my workstation) any eq 3389
config)#access-list 100 deny tcp any any
config)#end
sh
show inter
config
from terminal, memory, or network [terminal]?
guration commands, one per line. End with CNTL/Z.
config)#interf
config)#interface VLAN
config)#interface VLAN 1
config-if)#IP ACCEES
config-if)#ip access
config-if)#ip access-group 100 in
config-if)#end
wr

output of show ip access-lists:

Extended IP access list 100
10 permit tcp any host (real ip of my workstation) eq 3389
20 permit tcp host (real ip of my workstation) any eq 3389
30 deny tcp any any (54 matches)

Regards

try ip access-group 100 out under the vlan interface as well

did it work ?

it seems that work OK.  

the output of show ip access lists after i tried 3389 and 80

10 permit tcp any host x.x.x.x eq 3389 (26 matches)
20 permit tcp host x.x.x.x any eq 3389
30 deny tcp any any (69 matches)
 

many thanks for you Mr.Mark..

ah great thats good :)

Review Cisco Networking for a $25 gift card