Solved: How to close port?

Sylvain Brault · ‎10-15-2013

Hello,

I use access list to close port on entry from internet but when I scan the port from internet, the port is still open (for instance 53 or domain). Does someone have any idea?

I have a Cisco 1921 router on iOS 15.3

Here is a part of my configuration :

interface Dialer1

mtu 1492

ip address negotiated

ip access-group RESTRICT_ENTRY_INTERNET in

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp chap hostname xxxxxxxxxx

ppp chap password 0 xxxxxxxxxxxxxx

ppp pap sent-username xxxxxx password 0 xxxxxx

!

ip access-list extended RESTRICT_ENTRY_INTERNET

deny tcp any any eq telnet

deny tcp any any eq 22

deny tcp any any eq www

deny tcp any any eq 443

permit ip any any

deny tcp any any eq domain

cadet alain · ‎10-15-2013

Hi,

permit ip any any

deny tcp any any eq domain

Any traffic including traffic destined to port 53 will hit the first permit so put your permit at the end like this:

ip access-list extended RESTRICT_ENTRY_INTERNET

no 50

60 deny udp any any eq domain

70 permit ip any any

Regards

Alain

Don't forget to rate helpful posts.

View solution in original post

Joseph W. Doherty · ‎10-15-2013

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

As Alain noted, your permit ip any any is before your deny udp (for DNS). Remember UDP is part of IP, i.e. the IP rules "covers" UDP traffic too.

View solution in original post

cadet alain · ‎10-15-2013

Hi,

permit ip any any

deny tcp any any eq domain

Any traffic including traffic destined to port 53 will hit the first permit so put your permit at the end like this:

ip access-list extended RESTRICT_ENTRY_INTERNET

no 50

60 deny udp any any eq domain

70 permit ip any any

Regards

Alain

Don't forget to rate helpful posts.

Joseph W. Doherty · ‎10-15-2013

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

As Alain noted, your permit ip any any is before your deny udp (for DNS). Remember UDP is part of IP, i.e. the IP rules "covers" UDP traffic too.