01-31-2011 09:55 AM - edited 03-06-2019 03:17 PM
I need to block World of Warcraft. I have a Cisco 871W router.
I've seen the question posed a couple of times over the past year, however, either I'm still not "getting it", or I'm just leaving something obvious out.
Using CCP 2.3, this is how I currently have my extended ACL configured to block WoW:
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet4
ip access-group 101 in
ip access-group 101 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
...
access-list 101 remark Block World of Warcraft
access-list 101 remark CCP_ACL Category=1
access-list 101 deny udp any eq 3724 any eq 3724
access-list 101 deny tcp any eq 3724 any eq 3724
access-list 101 deny tcp any eq 1119 any eq 1119
access-list 101 deny tcp any range 6112 6114 any range 6112 6114
access-list 101 deny tcp any eq 4000 any eq 4000
access-list 101 permit ip any any
As near as I can tell from Blizzard's documention, I have everything blocked that should be - port 3724 (both TCP & UDP) for actual game play, and the rest of the TCP ports for updates.
So, what am I missing?
Thanks,
Michael
Solved! Go to Solution.
01-31-2011 01:05 PM
Hi Michael,
I don't know wow ports but i think you can try config below.
interface FastEthernet4
ip access-group 101 out
access-list 101 remark Block World of Warcraft
access-list 101 remark CCP_ACL Category=1
access-list 101 deny udp any any eq 3724
access-list 101 deny tcp any any eq 3724
access-list 101 deny tcp any any eq 1119
access-list 101 deny tcp any any range 6112 6114
access-list 101 deny tcp any any eq 4000
access-list 101 permit ip any any
hth
Muammer
01-31-2011 06:47 PM
Your original ACLs were specifying both source and destination ports.
Most client/server conversations are from a randomly chosen source port to a well known destination port.
For example an ACL that says deny tcp any eq 80 any eq 80 is not going to block any web browsing because the source port is never going to be 80.
01-31-2011 01:05 PM
Hi Michael,
I don't know wow ports but i think you can try config below.
interface FastEthernet4
ip access-group 101 out
access-list 101 remark Block World of Warcraft
access-list 101 remark CCP_ACL Category=1
access-list 101 deny udp any any eq 3724
access-list 101 deny tcp any any eq 3724
access-list 101 deny tcp any any eq 1119
access-list 101 deny tcp any any range 6112 6114
access-list 101 deny tcp any any eq 4000
access-list 101 permit ip any any
hth
Muammer
01-31-2011 03:54 PM
Thanks, Muammer!
Seems I don't quite yet understand how to properly create an ACL using the CCP interface. When I recreated it via the IOS command line, it worked just like a champ!
Again, thanks for pointing me back in the right direction.
01-31-2011 06:47 PM
Your original ACLs were specifying both source and destination ports.
Most client/server conversations are from a randomly chosen source port to a well known destination port.
For example an ACL that says deny tcp any eq 80 any eq 80 is not going to block any web browsing because the source port is never going to be 80.
02-01-2011 07:18 AM
Yeah, I've become a bit rusty on ACL's - it dawned on me what was "wrong" once I looked over the corrections after I made them.
Thanks for all the help,
Michael
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide