Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

acl placement

applying this acl to restrict traffic to / from the vlan. sql server needs to talk to a specific pc:

sql 192.168.4.30

pc 192.168.57.50

do i place this acl at the beginning of the "deny" statements to PERMIT these two boxes to talk w/ each other but STILL deny other hosts not requiring these ports?

i have acl boung to interface both inbound and outbound

----------------------

access-list 105 permit tcp host 192.168.4.30 host 192.168.57.50 eq 1433 (sql port???)

access-list 105 deny tcp any eq 21 any

access-list 105 deny udp any eq 21 any

access-list 105 deny tcp any eq 23 any

access-list 105 deny udp any eq 23 any

access-list 105 deny tcp any eq 25 any

access-list 105 deny udp any eq 25 any

access-list 105 deny tcp any eq 53 any

access-list 105 deny tcp any eq 102 any

access-list 105 deny udp any eq 102 any

access-list 105 deny tcp any eq 135 any

access-list 105 deny tcp any eq 389 any

access-list 105 deny udp any eq 389 any

access-list 105 deny tcp any eq 522 any

access-list 105 deny udp any eq 522 any

access-list 105 deny tcp any eq 636 any

access-list 105 deny udp any eq 636 any

access-list 105 deny tcp any eq 1494 any

access-list 105 deny udp any eq 1494 any

access-list 105 deny tcp any eq 1503 any

access-list 105 deny udp any eq 1503 any

access-list 105 deny tcp any eq 1720 any

access-list 105 deny udp any eq 1720 any

access-list 105 deny tcp any eq 1731 any

access-list 105 deny udp any eq 1731 any

access-list 105 deny tcp any eq 1755 any

access-list 105 deny udp any eq 1755 any

access-list 105 deny tcp any eq 1801 any

access-list 105 deny udp any eq 1801 any

access-list 105 deny tcp any eq 2701 any

access-list 105 deny udp any eq 2701 any

access-list 105 deny tcp any eq 2702 any

access-list 105 deny udp any eq 2702 any

access-list 105 deny tcp any eq 2703 any

access-list 105 deny udp any eq 2703 any

access-list 105 deny tcp any eq 2704 any

access-list 105 deny udp any eq 2704 any

access-list 105 deny tcp any eq 2725 any

access-list 105 deny udp any eq 2725 any

access-list 105 deny tcp any eq 6666 any

access-list 105 deny udp any eq 6666 any

access-list 105 deny tcp any eq 6667 any

access-list 105 deny udp any eq 6667 any

access-list 105 deny tcp any eq 67 any

access-list 105 deny tcp any eq 69 any

access-list 105 deny tcp any eq 110 any

access-list 105 deny tcp any eq 143 any

access-list 105 deny tcp any eq 119 any

access-list 105 deny tcp any eq 161 any

access-list 105 deny tcp any eq 162 any

access-list 105 deny tcp any eq 445 any

access-list 105 deny tcp any eq 515 any

access-list 105 deny tcp any eq 563 any

access-list 105 deny tcp any eq 593 any

access-list 105 deny tcp any eq 993 any

access-list 105 deny tcp any eq 995 any

access-list 105 deny tcp any eq 1270 any

access-list 105 deny tcp any eq 1433 any

access-list 105 deny tcp any eq 1723 any

access-list 105 deny tcp any eq 2103 any

access-list 105 deny tcp any eq 2105 any

access-list 105 deny tcp any eq 2107 any

access-list 105 deny tcp any eq 2393 any

access-list 105 deny tcp any eq 2394 any

access-list 105 deny tcp any eq 2725 any

access-list 105 deny tcp any eq 2869 any

access-list 105 deny tcp any eq 3268 any

access-list 105 deny tcp any eq 3269 any

access-list 105 deny tcp any eq 3389 any

access-list 105 deny tcp any eq 5000 any

access-list 105 deny tcp any eq 51515 any

access-list 105 deny udp any eq 67 any

access-list 105 deny udp any eq 500 any

access-list 105 deny udp any eq 1434 any

access-list 105 permit ip any any log

2 REPLIES

Re: acl placement

Ouch! It looks as if you want to deny almost everything. In that case, it is good to know that an acl will deny anything that is not explictly permitted. You might consider reversing it. It will probably shorten your acl, which I now find way too long. Remember that every line is checked for each qualifying packet, that equals a lot of overhead!

If you would follow this advice you would get something like:

access-list 105 permit tcp host 192.168.4.30 host 192.168.57.50 eq 1433

access-list 105 permit tcp any any eq

It would suffice to apply the acl in outbound direction. Remember, the order of entries is . If you look careful at your current list, you might notice that in your list, the sockets are behind the source which will likely lead to unexpected results.

Regards,

Leo

New Member

Re: acl placement

thx for your reply.

based on what you said, how would you approach this task. the requirement is that viruses / worms, etc be stopped in / out of this vlan.

thx for any info you share.

269
Views
0
Helpful
2
Replies