Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
591
Views
0
Helpful
6
Replies

IOS Router Interface Port Configuration

northwest_trail
Level 1
Level 1

‎08-20-2009 12:34 PM

This seems to be a very basic question.

I'm looking into purchasing a Cisco 1812 router, and would like to be able to block traffic on specific ports, or better yet, only allow traffic on specific ports.

What is the command that I need to look up in order to achieve this?

Thanks in advance.

Labels:
0 Helpful
6 Replies 6

Joe Clarke
Cisco Employee
Cisco Employee

‎08-20-2009 12:40 PM

At the simplest level, access-lists provide this kind of packet filtering. For example, to only allow HTTP (tcp/80), inbound on an interface:

interface FastEthernet0/0

...

ip access-group 101 in

!

!

access-list 101 permit tcp any any eq 80

access-list 101 permit tcp any any established

access-list 101 deny tcp any any

access-list 101 permit ip any any

There are more advanced packet filtering options such as the IOS firewall which can do stateful inspection. But it will depend on what feature set you run as to the packet filtering capabilities you will have. Access-lists are always available.

0 Helpful

northwest_trail
Level 1
Level 1
In response to Joe Clarke

‎08-25-2009 10:53 AM

Thanks for this example, and for the help. I have a series of TCP/UDP ports that I need to configure to be allowed through two interfaces. To make the example easier, let say I want to allow:

135/TCP

389/TCP/UDP

1024-1030/TCP/UDP

Based on the other example, I would configure the top two as follows:

interface FastEthernet0/0

ip access-group 101 in

access-list 101 permit tcp any any eq 135

access-list 101 permit tcp any any eq 389

access-list 101 permit udp any any eq 389

access-list 101 permit tcp any any established

access-list 101 deny tcp any any

access-list 101 deny udp any any

Does this look correct?

I want to apply the exact same filter to FastEthernet1/0. Do I need to create a new access list (102) for this, or could I reuse 101?

How do I allow a series of ports (e.g. 1024-1030)? Do I need to enter each one individually?

0 Helpful

Joe Clarke
Cisco Employee
Cisco Employee
In response to northwest_trail

‎08-25-2009 11:03 AM

You can use the same ACL for both interfaces. To permit multiple ports, use the range command:

access-list 101 permit tcp any any range 1024 1030

0 Helpful

northwest_trail
Level 1
Level 1
In response to Joe Clarke

‎08-25-2009 12:42 PM

I'd like to assign the ACL to an interface for both in and out. Is this possible? I'm under the impression that each interface can only have one access list assigned, and so I'm hesitant to use:

ip access-group 101 in

ip access-group 101 out

0 Helpful

Joe Clarke
Cisco Employee
Cisco Employee
In response to northwest_trail

‎08-25-2009 01:04 PM

You can add both lines to an interface, but you will need to make sure your ACL is reflexive. Chances are the same ACL will not be useful in both directions.

0 Helpful

Lucien Avramov
Level 10
Level 10

‎08-20-2009 12:50 PM

Also, we have freeware softwares that do that for you.

One is CCP : www.cisco.com/go/ccp

That will help you to configure access-lists and firewall features on your router.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents