Access-List To Block Port

Answered Question
Mar 23rd, 2009
User Badges:

All,

I want to block ports 445 and 135 on the router going to a specific host. Will this access list yield those results if I put this access list on the router's inbound interface:


access-list deny tcp any host 11.1.5.0 0.0.0.255 eq 135

Correct Answer by dario.didio about 8 years 2 days ago

Hi,


the syntax of you access list is not correct. You should specify a host address after the word HOST instead of a subnet. Also, don't forget to give your ACL a name or number.


Also, this line will only block TCP to port 135, not to 445.


If your host is 11.1.5.1, your ACL will look like this:


access-list 100 deny tcp any host 11.1.5.1 eq 135

access-list 100 deny tcp any host 11.1.5.1 eq 445

access-list 100 permit ip any any


HTH,

Dario

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Mon, 03/23/2009 - 08:21
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Mario


It depends on where the 11.1.5.x hosts is in relation to router interfaces. By the way 11.1.5.0 0.0.0.255 is the /24 network and not a host as such.


11.1.5.0/24 -> fa0/0 R1 fa0/1 -> any


So in the above 11.1.5.0/24 is connected to the fa0/0 interface of R1. And all other addresses come in via fa0/1 so you would apply your access-list inbound to fa0/1.


Jon

mrashby Mon, 03/23/2009 - 08:49
User Badges:

Jon,

Does it matter if I apply this list on the inbound interface of the ethernet or serial?

Jon Marshall Mon, 03/23/2009 - 08:53
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Yes it does. Looking back at the digram in my last post you can either


1) apply it inbound on the fa0/1 inteface


or


2) apply it outbound on the fa0/0 interface.


Personally i would go with 1).


Note i have used fast ethernet interfaces as example but the same applies to serial interfaces.


Jon

Correct Answer
dario.didio Mon, 03/23/2009 - 08:25
User Badges:
  • Silver, 250 points or more

Hi,


the syntax of you access list is not correct. You should specify a host address after the word HOST instead of a subnet. Also, don't forget to give your ACL a name or number.


Also, this line will only block TCP to port 135, not to 445.


If your host is 11.1.5.1, your ACL will look like this:


access-list 100 deny tcp any host 11.1.5.1 eq 135

access-list 100 deny tcp any host 11.1.5.1 eq 445

access-list 100 permit ip any any


HTH,

Dario

Actions

This Discussion