Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to close port?

Hello,


I use access list to close port on entry from internet but when I scan the port from internet, the port is still open (for instance 53 or domain). Does someone have any idea?


I have a Cisco 1921 router on iOS 15.3


Here is a part of my configuration :

interface Dialer1

mtu 1492

ip address negotiated

ip access-group RESTRICT_ENTRY_INTERNET in

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp chap hostname xxxxxxxxxx

ppp chap password 0 xxxxxxxxxxxxxx

ppp pap sent-username xxxxxx password 0 xxxxxx

!

ip access-list extended RESTRICT_ENTRY_INTERNET

deny   tcp any any eq telnet

deny   tcp any any eq 22

deny   tcp any any eq www

deny   tcp any any eq 443

permit ip any any

deny   tcp any any eq domain

2 ACCEPTED SOLUTIONS

Accepted Solutions
Purple

How to close port?

Hi,

permit ip any any

deny   tcp any any eq domain

Any traffic including traffic destined to port 53 will hit the first permit so put your permit at the end like this:

ip access-list extended RESTRICT_ENTRY_INTERNET

no 50

60 deny udp any any eq domain

70 permit ip any any

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
Super Bronze

Re: How to close port?

Disclaimer

The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.

Posting

As Alain noted, your permit ip any any is before your deny udp (for DNS).  Remember UDP is part of IP, i.e. the IP rules "covers" UDP traffic too.

2 REPLIES
Purple

How to close port?

Hi,

permit ip any any

deny   tcp any any eq domain

Any traffic including traffic destined to port 53 will hit the first permit so put your permit at the end like this:

ip access-list extended RESTRICT_ENTRY_INTERNET

no 50

60 deny udp any any eq domain

70 permit ip any any

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
Super Bronze

Re: How to close port?

Disclaimer

The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.

Posting

As Alain noted, your permit ip any any is before your deny udp (for DNS).  Remember UDP is part of IP, i.e. the IP rules "covers" UDP traffic too.

138
Views
0
Helpful
2
Replies
CreatePlease to create content