Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access Lists

I used to have the following access lists, running on Cisco 2501, IOS 10.2(13):

access-list 101 permit 10.0.0.0 0.255.255.255 0.0.0.0 255.255.255.255

access-list 101 deny tcp any any eq 135

access-list 101 deny udp any any eq 135

access-list 101 deny tcp any any eq 137

access-list 101 deny udp any any eq 137

access-list 101 deny tcp any any eq 138

access-list 101 deny udp any any eq 138

access-list 101 deny tcp any any eq 139

access-list 101 deny udp any any eq 139

access-list 101 deny icmp any any

access-list 101 permit ip any any

access-list 102 deny tcp any any eq 135

access-list 102 deny udp any any eq 135

access-list 102 deny tcp any any eq 137

access-list 102 deny udp any any eq 137

access-list 102 deny tcp any any eq 138

access-list 102 deny udp any any eq 138

access-list 102 deny tcp any any eq 139

access-list 102 deny udp any any eq 139

access-list 102 deny icmp any any

access-list 102 permit ip any any

However, when I upgraded to IOS 11.2 The access lists are changed. For example, on the fifth line instead of equal 137 on access list 101 for udp, it changed to "netbios-ns". It also changed to "netbios-dgm" instead of 138 on access list 101 for udp, etc. It does the same thing for access list 102. I would like to know if I need to fix the access lists:

access-list 101 permit ip 10.0.0.0 0.255.255.255 any

access-list 101 deny tcp any any eq 135

access-list 101 deny udp any any eq 135

access-list 101 deny tcp any any eq 137

access-list 101 deny udp any any eq netbios-ns

access-list 101 deny tcp any any eq 138

access-list 101 deny udp any any eq netbios-dgm

access-list 101 deny tcp any any eq 139

access-list 101 deny udp any any eq netbios-ss

access-list 101 deny icmp any any

access-list 101 permit ip any any

access-list 102 deny tcp any any eq 135

access-list 102 deny udp any any eq 135

access-list 102 deny tcp any any eq 137

access-list 102 deny udp any any eq netbios-ns

access-list 102 deny tcp any any eq 138

access-list 102 deny udp any any eq netbios-dgm

access-list 102 deny tcp any any eq 139

access-list 102 deny udp any any eq netbios-ss

access-list 102 deny icmp any any

access-list 102 permit ip any any

Thanks.

4 REPLIES

Re: Access Lists

No, the newer version of IOS knows what those ports correspond to, and rather than give you simply the # of the port, its substituting an acronym for what the port actually is. There is no need to fix the ACL, it is the same as it was before you upgraded!!

New Member

Re: Access Lists

Thank you very much for your quick response. I have tried many times to change to the correct ports unsuccessfully.

Thanks.

Cisco Employee

Re: Access Lists

This is just a translation from port number to protocol name and doesn't affect the way the ACL bahaves when filtering traffic.

Hope this helps,

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México 
Paseo de la Reforma 222 Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
New Member

Re: Access Lists

Thank you very much for your quick response.

169
Views
0
Helpful
4
Replies
CreatePlease login to create content