Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
400
Views
0
Helpful
5
Replies

Blocking nntp for newsgroups and all udp ports?

blamoreaux
Level 1
Level 1

‎11-26-2002 05:14 AM - edited ‎03-02-2019 03:10 AM

Can anyone give me an idea why this config. is not blocking the incoming nntp port and udp ports. We can still download news groups even after adding deny lines. We would like to block all udp if possible. Static ips were added for the web server.

Thanks ahead. Good holidays.

Router3640#show run

Building configuration...

Current configuration : 1769 bytes

!

version 12.1

no service single-slot-reload-enable

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Router3640

!

logging rate-limit console 10

enable secret 5 $1$.Nkz$gUmVm3La1a6lbJZ1JscLo0

!

!

!

ip subnet-zero

!

!

no ip finger

ip dhcp excluded-address 10.0.0.1

!

ip dhcp pool cisco3640

network 10.0.0.0 255.0.0.0

default-router 10.0.0.1

dns-server 206.196.128.1 204.147.80.5

!

no ip dhcp-client network-discovery

no mgcp timer receive-rtcp

call rsvp-sync

!

!

!

!

!

!

!

!

!

interface FastEthernet0/0

ip address 10.0.0.1 255.0.0.0

ip nat inside

no ip mroute-cache

duplex auto

speed auto

!

interface ATM0/1

no ip address

no ip mroute-cache

atm vc-per-vp 256

no atm ilmi-keepalive

pvc 0/32

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

no fair-queue

hold-queue 224 in

!

interface Dialer0

ip address 63.231.77.134 255.255.255.248

ip nat outside

encapsulation ppp

dialer pool 1

dialer-group 1

ppp pap sent-username xxxxxpassword xxxxxxx

!

interface Dialer101

no ip address

no cdp enable

!

ip nat inside source list 101 interface Dialer0 overload

ip nat inside source static 10.0.0.2 63.231.77.129

ip nat inside source static 10.0.0.3 63.231.77.130

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

no ip http server

!

no logging trap

access-list 101 permit ip 10.0.0.0 0.255.255.255 any

access-list 101 deny tcp any eq nntp any

access-list 101 deny udp any eq 1075 any

access-list 101 deny udp any eq 1028 any

dialer-list 1 protocol ip permit

!

!

!

dial-peer cor custom

!

!

!

!

line con 0

transport input none

line aux 0

line vty 0 4

no exec

exec-timeout 0 1

password qwest

login

transport input none

!

end

Router3

Labels:
0 Helpful
5 Replies 5

bhaase
Level 1
Level 1

‎11-26-2002 07:38 AM

First you need to make ACL 101 two seperate lists.

Ex.

ACL 101 for NAT

access-list 101 permit ip 10.0.0.0 0.255.255.255 any

ACL 102 for blocking udp and nntp

access-list 102 deny tcp any eq nntp any

access-list 102 deny udp any eq 1075 any

access-list 102 deny udp any eq 1028 any

access-list 102 permit ip any any

Then you need to apply ACL 102 inbound to your outside interface.

Ex.

access-group 102 in

Hope this helps

0 Helpful

bizsnatch
Level 1
Level 1
In response to bhaase

‎11-26-2002 08:02 AM

"access-list 101 permit ip 10.0.0.0 0.255.255.255 any

access-list 101 deny tcp any eq nntp any

access-list 101 deny udp any eq 1075 any

access-list 101 deny udp any eq 1028 any

dialer-list 1 protocol ip permit "

Also, wouldn't this allow all traffic with the source 10.x.x.x/24 address? Access lists go from top to bottom and when finding a match, exit the access list, thus never seeing the denies... maybe put your deny statements first.

0 Helpful

blamoreaux
Level 1
Level 1
In response to bizsnatch

‎11-27-2002 05:15 AM

Made some changes to the config, created another dialer 102 and applied the access-list 102 with ip access-group 102 in but still am able to download news groups from a news server and am not blocking all ports for udp traffic?

new config:

Router3640>enable

Password:

Router3640#show run

Building configuration...

Current configuration : 1818 bytes

!

version 12.1

no service single-slot-reload-enable

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Router3640

!

logging rate-limit console 10

enable secret 5 $1$.Nkz$gUmVm3La1a6lbJZ1JscLo0

!

!

!

ip subnet-zero

!

!

no ip finger

ip dhcp excluded-address 10.0.0.1

!

ip dhcp pool cisco3640

network 10.0.0.0 255.0.0.0

default-router 10.0.0.1

dns-server 206.196.128.1 204.147.80.5

!

no ip dhcp-client network-discovery

no mgcp timer receive-rtcp

call rsvp-sync

!

!

!

!

!

!

!

!

!

interface FastEthernet0/0

ip address 10.0.0.1 255.0.0.0

ip nat inside

no ip mroute-cache

duplex auto

speed auto

!

interface ATM0/1

no ip address

no ip mroute-cache

atm vc-per-vp 256

no atm ilmi-keepalive

pvc 0/32

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

no fair-queue

hold-queue 224 in

!

interface Dialer0

ip address 63.231.77.134 255.255.255.248

ip nat outside

encapsulation ppp

dialer pool 1

dialer-group 1

ppp pap sent-username wlamor password 7 120A0B16190E1F5678

!

interface Dialer101

no ip address

ip access-group 102 in

no cdp enable

!

interface Dialer102

no ip address

ip access-group 102 in

no cdp enable

!

ip nat inside source list 101 interface Dialer0 overload

ip nat inside source static 10.0.0.2 63.231.77.129

ip nat inside source static 10.0.0.3 63.231.77.130

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

no ip http server

!

no logging trap

access-list 101 permit ip 10.0.0.0 0.255.255.255 any

access-list 102 deny tcp any eq nntp any

access-list 102 deny udp any any

dialer-list 1 protocol ip permit

!

!

!

dial-peer cor custom

!

!

!

!

line con 0

transport input none

line aux 0

line vty 0 4

no exec

exec-timeout 0 1

password qwest

login

transport input none

!

end

Router3640# config t

Enter configuration commands, one per line. End with CNTL/Z.

Router3640(config)#int dialer 102

Router3640(config-if)#ip access-group 102 in

Router3640(config-if)#ip access-group 102 out

Router3640(config-if)#^Z

Router3640#

3d15h: %SYS-5-CONFIG_I: Configured from console by console

Router3640#copy run star

Destination filename [startup-config]?

Building configuration...

[OK]

Router3640#show run

Building configuration...

Current configuration : 1843 bytes

!

version 12.1

no service single-slot-reload-enable

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Router3640

!

logging rate-limit console 10

enable secret 5 $1$.Nkz$gUmVm3La1a6lbJZ1JscLo0

!

!

!

ip subnet-zero

!

!

no ip finger

ip dhcp excluded-address 10.0.0.1

!

ip dhcp pool cisco3640

network 10.0.0.0 255.0.0.0

default-router 10.0.0.1

dns-server 206.196.128.1 204.147.80.5

!

no ip dhcp-client network-discovery

no mgcp timer receive-rtcp

call rsvp-sync

!

!

!

!

!

!

!

!

!

interface FastEthernet0/0

ip address 10.0.0.1 255.0.0.0

ip nat inside

no ip mroute-cache

duplex auto

speed auto

!

interface ATM0/1

no ip address

no ip mroute-cache

atm vc-per-vp 256

no atm ilmi-keepalive

pvc 0/32

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

no fair-queue

hold-queue 224 in

!

interface Dialer0

ip address 63.231.77.134 255.255.255.248

ip nat outside

encapsulation ppp

dialer pool 1

dialer-group 1

ppp pap sent-username wlamor password 7 120A0B16190E1F5678

!

interface Dialer101

no ip address

ip access-group 102 in

no cdp enable

!

interface Dialer102

no ip address

ip access-group 102 in

ip access-group 102 out

no cdp enable

!

ip nat inside source list 101 interface Dialer0 overload

ip nat inside source static 10.0.0.2 63.231.77.129

ip nat inside source static 10.0.0.3 63.231.77.130

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

no ip http server

!

no logging trap

access-list 101 permit ip 10.0.0.0 0.255.255.255 any

access-list 102 deny tcp any eq nntp any

access-list 102 deny udp any any

dialer-list 1 protocol ip permit

!

!

!

dial-peer cor custom

!

!

!

!

line con 0

transport input none

line aux 0

line vty 0 4

no exec

exec-timeout 0 1

password qwest

login

transport input none

!

end

0 Helpful

bhaase
Level 1
Level 1
In response to blamoreaux

‎11-27-2002 08:59 AM

I think you might need to apply the ACL 102 to dialer0 interface although I am not sure exactly what your network layout is. Also on ACL 102 you will want to add "access-list 102 permit ip any any" to the end of the list because ACLs automatically append a deny all statement to the end.

0 Helpful

blamoreaux
Level 1
Level 1
In response to bhaase

‎11-27-2002 06:53 PM

Thanks so much, the following seems to be working.

Blocks news groups downloading

Blocks udp on some ports (I'm not sure it is necessary now to block the udp ports to secure the router. It doesn't appear that it hurts to leave them open.

config:

Router3640#copy startup-config tftp

Address or name of remote host []? 10.0.0.3

Destination filename [router3640-confg]? pppoastatic

!!

1961 bytes copied in 0.180 secs

Router3640#show run

Building configuration...

Current configuration : 1961 bytes

!

version 12.1

no service single-slot-reload-enable

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Router3640

!

logging rate-limit console 10

enable secret 5 $1$.Nkz$gUmVm3La1a6lbJZ1JscLo0

!

!

!

ip subnet-zero

!

!

no ip finger

ip dhcp excluded-address 10.0.0.1

!

ip dhcp pool cisco3640

network 10.0.0.0 255.0.0.0

default-router 10.0.0.1

dns-server 206.196.128.1 204.147.80.5

!

no ip dhcp-client network-discovery

no mgcp timer receive-rtcp

call rsvp-sync

!

!

!

!

!

!

!

!

!

interface FastEthernet0/0

ip address 10.0.0.1 255.0.0.0

ip nat inside

no ip mroute-cache

duplex auto

speed auto

!

interface ATM0/1

no ip address

no ip mroute-cache

atm vc-per-vp 256

no atm ilmi-keepalive

pvc 0/32

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

no fair-queue

hold-queue 224 in

!

interface Dialer0

ip address 63.231.77.134 255.255.255.248

ip access-group 102 in

ip nat outside

encapsulation ppp

dialer pool 1

dialer-group 1

ppp pap sent-username wlamor password 7 120A0B16190E1F5678

!

interface Dialer101

no ip address

no cdp enable

!

interface Dialer102

no ip address

no cdp enable

!

ip nat inside source list 101 interface Dialer0 overload

ip nat inside source static 10.0.0.2 63.231.77.129

ip nat inside source static 10.0.0.3 63.231.77.130

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

no ip http server

!

no logging trap

access-list 101 permit ip 10.0.0.0 0.255.255.255 any

access-list 102 deny tcp any eq nntp any

access-list 102 deny udp any eq netbios-ns any

access-list 102 deny udp any eq 1075 any

access-list 102 deny udp any eq 1028 any

access-list 102 permit ip any any

dialer-list 1 protocol ip permit

dialer-list 2 protocol ip permit

!

!

!

dial-peer cor custom

!

!

!

!

line con 0

transport input none

line aux 0

line vty 0 4

no exec

exec-timeout 0 1

password qwest

login

transport input none

!

end

Router3640#

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents