02-07-2008 10:33 AM - edited 03-05-2019 09:01 PM
I have a specific network 10.32.64.0 that uses port 6500 and 6600. I don't want any other network to be able to use these ports. How can I do that with a ACL?
Solved! Go to Solution.
02-07-2008 08:32 PM
Would it not be
access-list 101 permit tcp any 10.32.64.0 255.255.255.0 eq 6500
access-list 101 permit tcp any 10.32.64.0 255.255.255.0 eq 6600
access-list 101 deny tcp any any eq 6500
access-list 101 deny tcp any any eq 6600
access-list 101 permit ip any any
02-07-2008 10:39 AM
Hi
access-list 101 deny tcp any 10.32.64.0 255.255.255.0 eq 6500
access-list 101 deny tcp any 10.32.64.0 255.255.255.0 eq 6600
access-list 101 permit ip any any
apply this outbound on the L3 interface that is for the 10.32.64.0 network eg
int fa0/0
ip access-group 101 out
Note - assumed 10.32.64.0 is a 255.255.255.0 subnet mask and that 6500 & 6600 are TCP ports.
Jon
02-07-2008 08:32 PM
Would it not be
access-list 101 permit tcp any 10.32.64.0 255.255.255.0 eq 6500
access-list 101 permit tcp any 10.32.64.0 255.255.255.0 eq 6600
access-list 101 deny tcp any any eq 6500
access-list 101 deny tcp any any eq 6600
access-list 101 permit ip any any
02-07-2008 09:51 PM
Harold
Looks like we have read the OP's requirements slightly differently. I assumed he meant that no subnets were allowed to access 10.32.64.0 machines on port 6500, 6600.
I'm not sure what your first 2 lines are doing.
To the OP
I have an annoying habit of forgetting to use inverse masks in router acl's, probably due to too much time on pix firewalls :)
The masks should be 0.0.0.255 and not 255.255.255.0 in my access-list entries.
Apologies for that.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: