Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACLs and the NAT table

Any suggestions would be appreciated. Below is the related lines in the acls for inbound and outbound. I have entries in the nat trans table that point to tcp connections on port 139. Why?

out

access-list 110 deny tcp any any range 137 139

in

access-list 111 deny tcp any any range 137 139

Thanks in advance.

5 REPLIES
New Member

Re: ACLs and the NAT table

TCP ports 137 - 139 are those used by Netbios. Basically, the lists are blocking any Windows type traffic from passing.

The full port mappings are:

137 NETBIOS Name Service

138 NETBIOS Datagram Service

139 NETBIOS Session Service

New Member

Re: ACLs and the NAT table

So how do I keep outsiders from connecting to these ports using other systems or don't I? What would be the proper acl?

New Member

Re: ACLs and the NAT table

Could someone explain the netbios access-filter and whether that would help this situation as stated above. Thanks

New Member

Re: ACLs and the NAT table

To prevent outsiders from entering your network using netbios (windows) use the following ACL entries. These entries will also prevent users inside from using netbios outside of your network ( a good thing to implement):

in

access-list 111 deny udp any any eq netbios-ns

access-list 111 deny udp any any eq netbios-dgm

access-list 111 deny tcp any any range 137 139

access-list 111 deny udp any any eq 139

out

access-list 110 deny udp any any eq netbios-ns

access-list 110 deny udp any any eq netbios-dgm

access-list 110 deny tcp any any range 137 139

access-list 110 deny udp any any eq 139

New Member

Re: ACLs and the NAT table

Actually what I had was:

access-list 130 deny udp any any range netbios-ns netbios-ss

access-list 130 deny tcp any any range 137 139

access-list 131 deny udp any any range netbios-ns netbios-ss

access-list 131 deny tcp any any range 137 139

Is this any different in function from what you stated above?

I have this in my acl statement and am still getting connections in my nat trans table that point to the inside local and inside global addresses at tcp 139.

93
Views
0
Helpful
5
Replies
CreatePlease login to create content