block all traffic except

Unanswered Question
Sep 21st, 2007

I am trying to block all outbound traffic except for certain ports. I tried

access-list 101 permit tcp any any eq www

access-list 101 permit tcp any any eq 443

access-list 101 permit tcp any any eq smtp

access-list 101 permit tcp any any eq pop3

access-list 101 permit tcp any any eq 53

access-list 101 permit tcp any any eq www

access-list 101 permit ip any any

access-list 101 deny tcp any any

that dosent stop anything. I tried

access-list 101 permit tcp any any eq www

access-list 101 permit tcp any any eq 443

access-list 101 permit tcp any any eq smtp

access-list 101 permit tcp any any eq pop3

access-list 101 permit tcp any any eq 53

access-list 101 permit tcp any any eq www

access-list 101 deny tcp any any

That stops everything. Any help would be great. Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sacker12345 Fri, 09/21/2007 - 16:25

Access-list flow down so you put the most specific at the top and generalized ones at the bottom. On your first list you have permit ip any any which makes nothing blocked.

And if im not mistaken dns uses UDP also which is blocked in the second list.

Joseph W. Doherty Sat, 09/22/2007 - 04:30

Beside Kyle's post, where are you using this ACL, inside facing interface or outside facing interface? Also, in or out on the interface?

Reason I ask, with the explicit deny tcp any and the implicit deny all, your ACL needs to match the destination's port. I.e. the difference between inside in and outside out vs. inside out and outside in.

j_Pearcy00 Sat, 09/22/2007 - 17:36

I am planning on applying this ACL to a fast ethernet port on the inside. So inside out.

sacker12345 Sat, 09/22/2007 - 17:49

If Im understanding you. You have a pc then router then internet. Your applying it on the pc side of the router going out. If you do that it examines the packets when they head out of the router towards the pc. You want to apply the access-list on the in so it examines them as they go into the router.

Hope it helps,

Kyle

Joseph W. Doherty Sun, 09/23/2007 - 03:38

If your LAN facing interface is something like FastEthernet 0/1 then you want:

Interface FastEthernet 0/1

no shutdown

description connected to EthernetLAN

ip address x.x.x.x x.x.x.x

ip access-group 101 in

NOT

Interface FastEthernet 0/1

no shutdown

description connected to EthernetLAN

ip address x.x.x.x x.x.x.x

ip access-group 101 out

PS:

Doing the above would restrict access to other internal interfaces, if any.

j_Pearcy00 Sun, 09/23/2007 - 04:54

thanks to everyone. I Have everything working the way I had planned.

Actions

This Discussion