cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
845
Views
0
Helpful
4
Replies
glitterglue
Beginner

Extended ACL's and Blocking World of Warcraft

I need to block World of Warcraft. I have a Cisco 871W router.

I've seen the question posed a couple of times over the past year, however, either I'm still not "getting it", or I'm just leaving something obvious out.

Using CCP 2.3, this is how I currently have my extended ACL configured to block WoW:

interface FastEthernet4

description $ES_WAN$$FW_OUTSIDE$

ip address dhcp client-id FastEthernet4

ip access-group 101 in

ip access-group 101 out

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

...

access-list 101 remark Block World of Warcraft

access-list 101 remark CCP_ACL Category=1

access-list 101 deny   udp any eq 3724 any eq 3724

access-list 101 deny   tcp any eq 3724 any eq 3724

access-list 101 deny   tcp any eq 1119 any eq 1119

access-list 101 deny   tcp any range 6112 6114 any range 6112 6114

access-list 101 deny   tcp any eq 4000 any eq 4000

access-list 101 permit ip any any

As near as I can tell from Blizzard's documention, I have everything blocked that should be - port 3724 (both TCP & UDP) for actual game play, and the rest of the TCP ports for updates.

So, what am I missing?

Thanks,

Michael

2 ACCEPTED SOLUTIONS

Accepted Solutions
mrdogantr
Beginner

Hi Michael,

     I don't know wow ports but i think you can try config below.

interface FastEthernet4

ip access-group 101 out

access-list 101 remark Block World of Warcraft

access-list 101 remark CCP_ACL Category=1

access-list 101 deny   udp any any eq 3724

access-list 101 deny   tcp any  any eq 3724

access-list 101 deny   tcp any  any eq 1119

access-list 101 deny   tcp any  any range 6112 6114

access-list 101 deny   tcp any  any eq 4000

access-list 101 permit ip any any

hth

Muammer

View solution in original post

Your original ACLs were specifying both source and destination ports.

Most client/server conversations are from a randomly chosen source port to a well known destination port.

For example an ACL that says deny tcp any eq 80 any eq 80 is not going to block any web browsing because the source port is never going to be 80.

View solution in original post

4 REPLIES 4
mrdogantr
Beginner

Hi Michael,

     I don't know wow ports but i think you can try config below.

interface FastEthernet4

ip access-group 101 out

access-list 101 remark Block World of Warcraft

access-list 101 remark CCP_ACL Category=1

access-list 101 deny   udp any any eq 3724

access-list 101 deny   tcp any  any eq 3724

access-list 101 deny   tcp any  any eq 1119

access-list 101 deny   tcp any  any range 6112 6114

access-list 101 deny   tcp any  any eq 4000

access-list 101 permit ip any any

hth

Muammer

View solution in original post

Thanks, Muammer!

Seems I don't quite yet understand how to properly create an ACL using the CCP interface. When I recreated it via the IOS command line, it worked just like a champ!

Again, thanks for pointing me back in the right direction.

Your original ACLs were specifying both source and destination ports.

Most client/server conversations are from a randomly chosen source port to a well known destination port.

For example an ACL that says deny tcp any eq 80 any eq 80 is not going to block any web browsing because the source port is never going to be 80.

View solution in original post

Yeah, I've become a bit rusty on ACL's - it dawned on me what was "wrong" once I looked over the corrections after I made them.

Thanks for all the help,

Michael