Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
459
Views
5
Helpful
7
Replies

Help with block a range of port to an IP

kpoon
Level 1
Level 1

‎03-19-2008 01:48 PM - edited ‎03-03-2019 09:12 PM

We have a Cisco 1841.

Fast0/0 with 30.104.104.2 (IP to ISP)

FAST0/1 with 30.103.103.129/27 (our public ip block)

I like to specifically block any incoming (from internet) access from port 1-1024 to only 30.103.103.135 (one of our public systems)

How can I do that?

I have tried:

access-list 101 deny tcp any lt 1025 host 30.103.103.135

the moment I apply it to either fast0/0 or 1, it cut all access. could someone help?

Thanks in advance

Labels:
0 Helpful
7 Replies 7

Jon Marshall
Hall of Fame
Hall of Fame

‎03-19-2008 01:57 PM

Hi

Okay firstly there is an implict deny at the end of any access-list so you need to modify your access-list to

access-list 101 deny tcp any lt 1025 host 30.103.103.135

access-list 101 permit ip any any

Secondly this access-list is blocking any IP address on port 1 -> 1024 connecting to 30.103.103.135 on any port. Is this what you actually want or do you want to stop any IP connecting to 30.103.103.135 on ports 1 -> 1024 ?

Jon

0 Helpful

kpoon
Level 1
Level 1
In response to Jon Marshall

‎03-19-2008 06:36 PM

Hi Jon,

I want to stop any IP connecting to 30.103.103.135 on ports 1 -> 1024, anything above 1024 is allowed.

Does it matter if I apply the access list to FAST0/0 or FAST0/1?

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to kpoon

‎03-19-2008 07:34 PM

Ken

In your case I believe that the same access list could be used on either FA0/0 or on FA0/1. On FA0/0 (connecting to ISP) it would be applied as inbound. On FA0/1 (connecting to your LAN) it would be applied outbound.

HTH

Rick

HTH

Rick
0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to kpoon

‎03-20-2008 12:13 AM

Ken

Agree with Rick on which direction to apply.

I am still unsure as to which ports ? When you say port 1 -1024 is that

1) ports 1 - 1024 on any IP connecting 30.103.103.135 ie. the source port from any IP

or

2) ports 1 - 1024 on 30.103.103.135

If 1) your access-list is correct

If 2) you need to modify

access-list 101 deny tcp any host 30.103.103.135 lt 1025

HTH

Jon

0 Helpful

kpoon
Level 1
Level 1
In response to Jon Marshall

‎03-20-2008 07:02 AM

Thank you very much for all your help. I will test it out later today.

I will change the access-list to case(2) which is what we want.

0 Helpful

kpoon
Level 1
Level 1
In response to Jon Marshall

‎03-20-2008 11:10 AM

It only seems to work with

access-list 101 deny tcp any host 30.103.103.135 range 1 1024.

not lt 1025. But at least it seems to be working.

Thanks a lot.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to kpoon

‎03-20-2008 11:22 AM

Ken

I am glad that you got it working. Thanks for posting back to the forum, indicating that it was working and what you did to get it to work. It helps the forum when we can see the solution to the issue that was raised.

HTH

Rick

HTH

Rick
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card