Help with block a range of port to an IP

Unanswered Question

We have a Cisco 1841.


Fast0/0 with 30.104.104.2 (IP to ISP)


FAST0/1 with 30.103.103.129/27 (our public ip block)


I like to specifically block any incoming (from internet) access from port 1-1024 to only 30.103.103.135 (one of our public systems)


How can I do that?


I have tried:


access-list 101 deny tcp any lt 1025 host 30.103.103.135


the moment I apply it to either fast0/0 or 1, it cut all access. could someone help?


Thanks in advance

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Wed, 03/19/2008 - 13:57
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Okay firstly there is an implict deny at the end of any access-list so you need to modify your access-list to


access-list 101 deny tcp any lt 1025 host 30.103.103.135

access-list 101 permit ip any any


Secondly this access-list is blocking any IP address on port 1 -> 1024 connecting to 30.103.103.135 on any port. Is this what you actually want or do you want to stop any IP connecting to 30.103.103.135 on ports 1 -> 1024 ?


Jon

Richard Burts Wed, 03/19/2008 - 19:34
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Ken


In your case I believe that the same access list could be used on either FA0/0 or on FA0/1. On FA0/0 (connecting to ISP) it would be applied as inbound. On FA0/1 (connecting to your LAN) it would be applied outbound.


HTH


Rick

Jon Marshall Thu, 03/20/2008 - 00:13
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Ken


Agree with Rick on which direction to apply.


I am still unsure as to which ports ? When you say port 1 -1024 is that


1) ports 1 - 1024 on any IP connecting 30.103.103.135 ie. the source port from any IP


or


2) ports 1 - 1024 on 30.103.103.135


If 1) your access-list is correct


If 2) you need to modify


access-list 101 deny tcp any host 30.103.103.135 lt 1025


HTH


Jon

Richard Burts Thu, 03/20/2008 - 11:22
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Ken


I am glad that you got it working. Thanks for posting back to the forum, indicating that it was working and what you did to get it to work. It helps the forum when we can see the solution to the issue that was raised.


HTH


Rick

Actions

This Discussion