Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1482
Views
0
Helpful
6
Replies

block all traffic except

j_Pearcy00
Level 1
Level 1

‎09-21-2007 02:53 PM - edited ‎03-03-2019 06:52 PM

I am trying to block all outbound traffic except for certain ports. I tried

access-list 101 permit tcp any any eq www

access-list 101 permit tcp any any eq 443

access-list 101 permit tcp any any eq smtp

access-list 101 permit tcp any any eq pop3

access-list 101 permit tcp any any eq 53

access-list 101 permit tcp any any eq www

access-list 101 permit ip any any

access-list 101 deny tcp any any

that dosent stop anything. I tried

access-list 101 permit tcp any any eq www

access-list 101 permit tcp any any eq 443

access-list 101 permit tcp any any eq smtp

access-list 101 permit tcp any any eq pop3

access-list 101 permit tcp any any eq 53

access-list 101 permit tcp any any eq www

access-list 101 deny tcp any any

That stops everything. Any help would be great. Thanks

Labels:
0 Helpful
6 Replies 6

sacker12345
Level 1
Level 1

‎09-21-2007 04:25 PM

Access-list flow down so you put the most specific at the top and generalized ones at the bottom. On your first list you have permit ip any any which makes nothing blocked.

And if im not mistaken dns uses UDP also which is blocked in the second list.

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎09-22-2007 04:30 AM

Beside Kyle's post, where are you using this ACL, inside facing interface or outside facing interface? Also, in or out on the interface?

Reason I ask, with the explicit deny tcp any and the implicit deny all, your ACL needs to match the destination's port. I.e. the difference between inside in and outside out vs. inside out and outside in.

0 Helpful

j_Pearcy00
Level 1
Level 1
In response to Joseph W. Doherty

‎09-22-2007 05:36 PM

I am planning on applying this ACL to a fast ethernet port on the inside. So inside out.

0 Helpful

sacker12345
Level 1
Level 1
In response to j_Pearcy00

‎09-22-2007 05:49 PM

If Im understanding you. You have a pc then router then internet. Your applying it on the pc side of the router going out. If you do that it examines the packets when they head out of the router towards the pc. You want to apply the access-list on the in so it examines them as they go into the router.

Hope it helps,

Kyle

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to j_Pearcy00

‎09-23-2007 03:38 AM

If your LAN facing interface is something like FastEthernet 0/1 then you want:

Interface FastEthernet 0/1

no shutdown

description connected to EthernetLAN

ip address x.x.x.x x.x.x.x

ip access-group 101 in

NOT

Interface FastEthernet 0/1

no shutdown

description connected to EthernetLAN

ip address x.x.x.x x.x.x.x

ip access-group 101 out

PS:

Doing the above would restrict access to other internal interfaces, if any.

0 Helpful

j_Pearcy00
Level 1
Level 1
In response to Joseph W. Doherty

‎09-23-2007 04:54 AM

thanks to everyone. I Have everything working the way I had planned.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card