08-20-2009 12:34 PM
This seems to be a very basic question.
I'm looking into purchasing a Cisco 1812 router, and would like to be able to block traffic on specific ports, or better yet, only allow traffic on specific ports.
What is the command that I need to look up in order to achieve this?
Thanks in advance.
08-20-2009 12:40 PM
At the simplest level, access-lists provide this kind of packet filtering. For example, to only allow HTTP (tcp/80), inbound on an interface:
interface FastEthernet0/0
...
ip access-group 101 in
!
!
access-list 101 permit tcp any any eq 80
access-list 101 permit tcp any any established
access-list 101 deny tcp any any
access-list 101 permit ip any any
There are more advanced packet filtering options such as the IOS firewall which can do stateful inspection. But it will depend on what feature set you run as to the packet filtering capabilities you will have. Access-lists are always available.
08-25-2009 10:53 AM
Thanks for this example, and for the help. I have a series of TCP/UDP ports that I need to configure to be allowed through two interfaces. To make the example easier, let say I want to allow:
135/TCP
389/TCP/UDP
1024-1030/TCP/UDP
Based on the other example, I would configure the top two as follows:
interface FastEthernet0/0
ip access-group 101 in
access-list 101 permit tcp any any eq 135
access-list 101 permit tcp any any eq 389
access-list 101 permit udp any any eq 389
access-list 101 permit tcp any any established
access-list 101 deny tcp any any
access-list 101 deny udp any any
Does this look correct?
I want to apply the exact same filter to FastEthernet1/0. Do I need to create a new access list (102) for this, or could I reuse 101?
How do I allow a series of ports (e.g. 1024-1030)? Do I need to enter each one individually?
08-25-2009 11:03 AM
You can use the same ACL for both interfaces. To permit multiple ports, use the range command:
access-list 101 permit tcp any any range 1024 1030
08-25-2009 12:42 PM
I'd like to assign the ACL to an interface for both in and out. Is this possible? I'm under the impression that each interface can only have one access list assigned, and so I'm hesitant to use:
ip access-group 101 in
ip access-group 101 out
08-25-2009 01:04 PM
You can add both lines to an interface, but you will need to make sure your ACL is reflexive. Chances are the same ACL will not be useful in both directions.
08-20-2009 12:50 PM
Also, we have freeware softwares that do that for you.
One is CCP : www.cisco.com/go/ccp
That will help you to configure access-lists and firewall features on your router.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: