06-07-2007 04:34 AM - edited 03-05-2019 04:33 PM
Hi
I want to add an access-list rule to configure my 1720 cisco router for allowing only to 212.146.145.105 ip adress has access to reach port number 2002
so I try to think an acl like this
access-list 101 deny tcp any any eq 2002
access-list 101 permit tcp 212.146.145.105 0.0.0.0 any eq 2002
access-list 101 permit ip any any
is there anything wrong with that?
06-07-2007 04:52 AM
Hi,
As you did it you will always deny everything going to port 2002.
Do it like this:
access-list 101 permit tcp 212.146.145.105 0.0.0.0 any eq 2002
access-list 101 deny tcp any any eq 2002
access-list 101 permit ip any any
If you put your deny on first line, you will deny all connections to 2002 since it is the first match. IN putting the second line as first line, it will allow the station to connect to port 2002, then you deny all other conncetion to port 2002 and than you permit all the rest.
Yves
(rate if helpful)
06-11-2007 10:26 PM
I made it like this but it didn't work everyone is able to access 2002 port but i want only 212.146.145.105 ip number to access that port
access-list 101 permit tcp 212.146.145.105 0.0.0.0 any eq 2002
access-list 101 deny tcp any any eq 2002
access-list 101 permit ip any any
config terminal
interface ethernet0
ip access-group 101 in
06-11-2007 10:59 PM
is the IP 212.146.145.105 inside your LAN ?
do you want to block outgoing access to 2002 from inside your LAN ?
06-11-2007 11:01 PM
To troubleshoot try the log command at the end of the block line
access-list 101 permit tcp 212.146.145.105 0.0.0.0 any eq 2002
access-list 101 deny tcp any any eq 2002 log
access-list 101 permit ip any any
06-11-2007 11:10 PM
no my ip adress is 212.50.35.97 the 212.146.145.105 ip is outside of my lan and i want it to acces 2002 port on my network
06-11-2007 11:20 PM
Is the IP 212.146.145.105 on the Internet ?
If that is the case is there any specific server on your network that you want 212.146.145.105 to access on port 2002 ?
You could be exposing all your servers to the internet. this is a security risk
06-12-2007 03:25 AM
No I have isa server behind that router so everything is under control and i opened a port to a specific server on my network from isa server but isa server doesn't support ip checking.So I have to configure the router as it will not allow anyone beside 212.146.145.105 to reach 2002 port.
P.S:Our router doesnt have any access-list beside I wrote for this port thing it allows everyone to pass by
06-12-2007 03:46 AM
Sorry NAT is not the right word - you would have published the server right ?
06-12-2007 06:31 AM
I believe the ACL would work better with a 32 bit subnet rather than a 0 bit. You are telling it to allow anything in with that mask. Try 255.255.255.255 instead of 0.0.0.0
06-12-2007 08:16 PM
255.255.255.255 would mean all hosts.
( This is used only in Routes )
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: