Solved: Access Control List blocking specific ports.

glynncounty · ‎02-07-2008

I have a specific network 10.32.64.0 that uses port 6500 and 6600. I don't want any other network to be able to use these ports. How can I do that with a ACL?

harold.blackman · ‎02-07-2008

Would it not be

access-list 101 permit tcp any 10.32.64.0 255.255.255.0 eq 6500

access-list 101 permit tcp any 10.32.64.0 255.255.255.0 eq 6600

access-list 101 deny tcp any any eq 6500

access-list 101 deny tcp any any eq 6600

access-list 101 permit ip any any

View solution in original post

Jon Marshall · ‎02-07-2008

Hi

access-list 101 deny tcp any 10.32.64.0 255.255.255.0 eq 6500

access-list 101 deny tcp any 10.32.64.0 255.255.255.0 eq 6600

access-list 101 permit ip any any

apply this outbound on the L3 interface that is for the 10.32.64.0 network eg

int fa0/0

ip access-group 101 out

Note - assumed 10.32.64.0 is a 255.255.255.0 subnet mask and that 6500 & 6600 are TCP ports.

Jon

harold.blackman · ‎02-07-2008

Would it not be

access-list 101 permit tcp any 10.32.64.0 255.255.255.0 eq 6500

access-list 101 permit tcp any 10.32.64.0 255.255.255.0 eq 6600

access-list 101 deny tcp any any eq 6500

access-list 101 deny tcp any any eq 6600

access-list 101 permit ip any any

Jon Marshall · ‎02-07-2008

Harold

Looks like we have read the OP's requirements slightly differently. I assumed he meant that no subnets were allowed to access 10.32.64.0 machines on port 6500, 6600.

I'm not sure what your first 2 lines are doing.

To the OP

I have an annoying habit of forgetting to use inverse masks in router acl's, probably due to too much time on pix firewalls :)

The masks should be 0.0.0.255 and not 255.255.255.0 in my access-list entries.

Apologies for that.

Jon