Re: ACLs and the NAT table

sdross · ‎08-14-2003

Any suggestions would be appreciated. Below is the related lines in the acls for inbound and outbound. I have entries in the nat trans table that point to tcp connections on port 139. Why?

out

access-list 110 deny tcp any any range 137 139

in

access-list 111 deny tcp any any range 137 139

Thanks in advance.

vaughan.lee · ‎08-14-2003

TCP ports 137 - 139 are those used by Netbios. Basically, the lists are blocking any Windows type traffic from passing.

The full port mappings are:

137 NETBIOS Name Service

138 NETBIOS Datagram Service

139 NETBIOS Session Service

sdross · ‎08-14-2003

So how do I keep outsiders from connecting to these ports using other systems or don't I? What would be the proper acl?

sdross · ‎08-15-2003

Could someone explain the netbios access-filter and whether that would help this situation as stated above. Thanks

forbesl · ‎08-15-2003

To prevent outsiders from entering your network using netbios (windows) use the following ACL entries. These entries will also prevent users inside from using netbios outside of your network ( a good thing to implement):

in

access-list 111 deny udp any any eq netbios-ns

access-list 111 deny udp any any eq netbios-dgm

access-list 111 deny tcp any any range 137 139

access-list 111 deny udp any any eq 139

out

access-list 110 deny udp any any eq netbios-ns

access-list 110 deny udp any any eq netbios-dgm

access-list 110 deny tcp any any range 137 139

access-list 110 deny udp any any eq 139

sdross · ‎08-18-2003

Actually what I had was:

access-list 130 deny udp any any range netbios-ns netbios-ss

access-list 130 deny tcp any any range 137 139

access-list 131 deny udp any any range netbios-ns netbios-ss

access-list 131 deny tcp any any range 137 139

Is this any different in function from what you stated above?

I have this in my acl statement and am still getting connections in my nat trans table that point to the inside local and inside global addresses at tcp 139.