Solved: Re: Extended ACL's and Blocking World of Warcraft

glitterglue · ‎01-31-2011

I need to block World of Warcraft. I have a Cisco 871W router.

I've seen the question posed a couple of times over the past year, however, either I'm still not "getting it", or I'm just leaving something obvious out.

Using CCP 2.3, this is how I currently have my extended ACL configured to block WoW:

interface FastEthernet4

description $ES_WAN$$FW_OUTSIDE$

ip address dhcp client-id FastEthernet4

ip access-group 101 in

ip access-group 101 out

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

...

access-list 101 remark Block World of Warcraft

access-list 101 remark CCP_ACL Category=1

access-list 101 deny udp any eq 3724 any eq 3724

access-list 101 deny tcp any eq 3724 any eq 3724

access-list 101 deny tcp any eq 1119 any eq 1119

access-list 101 deny tcp any range 6112 6114 any range 6112 6114

access-list 101 deny tcp any eq 4000 any eq 4000

access-list 101 permit ip any any

As near as I can tell from Blizzard's documention, I have everything blocked that should be - port 3724 (both TCP & UDP) for actual game play, and the rest of the TCP ports for updates.

So, what am I missing?

Thanks,

Michael

mrdogantr · ‎01-31-2011

Hi Michael,

I don't know wow ports but i think you can try config below.

interface FastEthernet4

ip access-group 101 out

access-list 101 remark Block World of Warcraft

access-list 101 remark CCP_ACL Category=1

access-list 101 deny udp any any eq 3724

access-list 101 deny tcp any any eq 3724

access-list 101 deny tcp any any eq 1119

access-list 101 deny tcp any any range 6112 6114

access-list 101 deny tcp any any eq 4000

access-list 101 permit ip any any

hth

Muammer

View solution in original post

j-mccarthy · ‎01-31-2011

Your original ACLs were specifying both source and destination ports.

Most client/server conversations are from a randomly chosen source port to a well known destination port.

For example an ACL that says deny tcp any eq 80 any eq 80 is not going to block any web browsing because the source port is never going to be 80.

View solution in original post

mrdogantr · ‎01-31-2011

Hi Michael,

I don't know wow ports but i think you can try config below.

interface FastEthernet4

ip access-group 101 out

access-list 101 remark Block World of Warcraft

access-list 101 remark CCP_ACL Category=1

access-list 101 deny udp any any eq 3724

access-list 101 deny tcp any any eq 3724

access-list 101 deny tcp any any eq 1119

access-list 101 deny tcp any any range 6112 6114

access-list 101 deny tcp any any eq 4000

access-list 101 permit ip any any

hth

Muammer

glitterglue · ‎01-31-2011

Thanks, Muammer!

Seems I don't quite yet understand how to properly create an ACL using the CCP interface. When I recreated it via the IOS command line, it worked just like a champ!

Again, thanks for pointing me back in the right direction.

j-mccarthy · ‎01-31-2011

Your original ACLs were specifying both source and destination ports.

Most client/server conversations are from a randomly chosen source port to a well known destination port.

For example an ACL that says deny tcp any eq 80 any eq 80 is not going to block any web browsing because the source port is never going to be 80.

glitterglue · ‎02-01-2011

Yeah, I've become a bit rusty on ACL's - it dawned on me what was "wrong" once I looked over the corrections after I made them.

Thanks for all the help,

Michael