Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Access-List To Block Port

All,

I want to block ports 445 and 135 on the router going to a specific host. Will this access list yield those results if I put this access list on the router's inbound interface:

access-list deny tcp any host 11.1.5.0 0.0.0.255 eq 135

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: Access-List To Block Port

Hi,

the syntax of you access list is not correct. You should specify a host address after the word HOST instead of a subnet. Also, don't forget to give your ACL a name or number.

Also, this line will only block TCP to port 135, not to 445.

If your host is 11.1.5.1, your ACL will look like this:

access-list 100 deny tcp any host 11.1.5.1 eq 135

access-list 100 deny tcp any host 11.1.5.1 eq 445

access-list 100 permit ip any any

HTH,

Dario

5 REPLIES
Hall of Fame Super Blue

Re: Access-List To Block Port

Mario

It depends on where the 11.1.5.x hosts is in relation to router interfaces. By the way 11.1.5.0 0.0.0.255 is the /24 network and not a host as such.

11.1.5.0/24 -> fa0/0 R1 fa0/1 -> any

So in the above 11.1.5.0/24 is connected to the fa0/0 interface of R1. And all other addresses come in via fa0/1 so you would apply your access-list inbound to fa0/1.

Jon

Community Member

Re: Access-List To Block Port

Jon,

Does it matter if I apply this list on the inbound interface of the ethernet or serial?

Hall of Fame Super Blue

Re: Access-List To Block Port

Yes it does. Looking back at the digram in my last post you can either

1) apply it inbound on the fa0/1 inteface

or

2) apply it outbound on the fa0/0 interface.

Personally i would go with 1).

Note i have used fast ethernet interfaces as example but the same applies to serial interfaces.

Jon

Silver

Re: Access-List To Block Port

Hi,

the syntax of you access list is not correct. You should specify a host address after the word HOST instead of a subnet. Also, don't forget to give your ACL a name or number.

Also, this line will only block TCP to port 135, not to 445.

If your host is 11.1.5.1, your ACL will look like this:

access-list 100 deny tcp any host 11.1.5.1 eq 135

access-list 100 deny tcp any host 11.1.5.1 eq 445

access-list 100 permit ip any any

HTH,

Dario

Community Member

Re: Access-List To Block Port

Thanks.

8985
Views
0
Helpful
5
Replies
CreatePlease to create content