block all traffic except

Unanswered Question
Sep 21st, 2007
User Badges:

I am trying to block all outbound traffic except for certain ports. I tried

access-list 101 permit tcp any any eq www

access-list 101 permit tcp any any eq 443

access-list 101 permit tcp any any eq smtp

access-list 101 permit tcp any any eq pop3

access-list 101 permit tcp any any eq 53

access-list 101 permit tcp any any eq www

access-list 101 permit ip any any

access-list 101 deny tcp any any


that dosent stop anything. I tried


access-list 101 permit tcp any any eq www

access-list 101 permit tcp any any eq 443

access-list 101 permit tcp any any eq smtp

access-list 101 permit tcp any any eq pop3

access-list 101 permit tcp any any eq 53

access-list 101 permit tcp any any eq www

access-list 101 deny tcp any any


That stops everything. Any help would be great. Thanks


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sacker12345 Fri, 09/21/2007 - 16:25
User Badges:

Access-list flow down so you put the most specific at the top and generalized ones at the bottom. On your first list you have permit ip any any which makes nothing blocked.


And if im not mistaken dns uses UDP also which is blocked in the second list.

Joseph W. Doherty Sat, 09/22/2007 - 04:30
User Badges:
  • Super Bronze, 10000 points or more

Beside Kyle's post, where are you using this ACL, inside facing interface or outside facing interface? Also, in or out on the interface?


Reason I ask, with the explicit deny tcp any and the implicit deny all, your ACL needs to match the destination's port. I.e. the difference between inside in and outside out vs. inside out and outside in.

j_Pearcy00 Sat, 09/22/2007 - 17:36
User Badges:

I am planning on applying this ACL to a fast ethernet port on the inside. So inside out.

sacker12345 Sat, 09/22/2007 - 17:49
User Badges:

If Im understanding you. You have a pc then router then internet. Your applying it on the pc side of the router going out. If you do that it examines the packets when they head out of the router towards the pc. You want to apply the access-list on the in so it examines them as they go into the router.


Hope it helps,

Kyle

Joseph W. Doherty Sun, 09/23/2007 - 03:38
User Badges:
  • Super Bronze, 10000 points or more

If your LAN facing interface is something like FastEthernet 0/1 then you want:


Interface FastEthernet 0/1

no shutdown

description connected to EthernetLAN

ip address x.x.x.x x.x.x.x

ip access-group 101 in


NOT


Interface FastEthernet 0/1

no shutdown

description connected to EthernetLAN

ip address x.x.x.x x.x.x.x

ip access-group 101 out


PS:

Doing the above would restrict access to other internal interfaces, if any.


j_Pearcy00 Sun, 09/23/2007 - 04:54
User Badges:

thanks to everyone. I Have everything working the way I had planned.

Actions

This Discussion