cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
26237
Views
0
Helpful
5
Replies

Access-List To Block Port

mrashby
Level 1
Level 1

All,

I want to block ports 445 and 135 on the router going to a specific host. Will this access list yield those results if I put this access list on the router's inbound interface:

access-list deny tcp any host 11.1.5.0 0.0.0.255 eq 135

1 Accepted Solution

Accepted Solutions

dario.didio
Level 4
Level 4

Hi,

the syntax of you access list is not correct. You should specify a host address after the word HOST instead of a subnet. Also, don't forget to give your ACL a name or number.

Also, this line will only block TCP to port 135, not to 445.

If your host is 11.1.5.1, your ACL will look like this:

access-list 100 deny tcp any host 11.1.5.1 eq 135

access-list 100 deny tcp any host 11.1.5.1 eq 445

access-list 100 permit ip any any

HTH,

Dario

View solution in original post

5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

Mario

It depends on where the 11.1.5.x hosts is in relation to router interfaces. By the way 11.1.5.0 0.0.0.255 is the /24 network and not a host as such.

11.1.5.0/24 -> fa0/0 R1 fa0/1 -> any

So in the above 11.1.5.0/24 is connected to the fa0/0 interface of R1. And all other addresses come in via fa0/1 so you would apply your access-list inbound to fa0/1.

Jon

Jon,

Does it matter if I apply this list on the inbound interface of the ethernet or serial?

Yes it does. Looking back at the digram in my last post you can either

1) apply it inbound on the fa0/1 inteface

or

2) apply it outbound on the fa0/0 interface.

Personally i would go with 1).

Note i have used fast ethernet interfaces as example but the same applies to serial interfaces.

Jon

dario.didio
Level 4
Level 4

Hi,

the syntax of you access list is not correct. You should specify a host address after the word HOST instead of a subnet. Also, don't forget to give your ACL a name or number.

Also, this line will only block TCP to port 135, not to 445.

If your host is 11.1.5.1, your ACL will look like this:

access-list 100 deny tcp any host 11.1.5.1 eq 135

access-list 100 deny tcp any host 11.1.5.1 eq 445

access-list 100 permit ip any any

HTH,

Dario

Thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco