Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NT Domain across Access-Lists


I have Cisco 6006 Cores and want to lock a vlan down - however still want the PCs to be able to logon to certain shares and the domain. I have done some reading but can't find a diffinitive answer - which I find surprise considering most people must be using NT4 and above.

This is what Im trying to do :) I have the domain server say on nad my computer on say but I want to lock this vlan right the way down so it can authenticate but no much else. (there will be a few other ports for service but in general).

I tried this access-list but dont seem to get any joy:

permit udp any eq netbios-ns eq netbios-ns (219 matches)

permit udp any eq netbios-dgm eq netbios-dgm (13 matches)

permit tcp any gt 1023 eq 139 (20 matches)

permit udp eq netbios-dgm any eq netbios-dgm (13 matches)

permit udp eq netbios-ns any eq netbios-ns (107 matches)

permit tcp eq 139 any eq 139

permit tcp any eq 42 eq 42

deny ip any any (1727 matches)

as you can see im getting hits but still cant auth or join the domain. ANy ideas has anyone managed to do this ?? Whats the tightest option ?

Thanks for any help


  • Other Network Infrastructure Subjects

Re: NT Domain across Access-Lists

Uncheck: Require encrypted password

Allow: unencrypted password

Allow: Challenge Handshake Authentication Protocol (CHAP)

Allow: Microsoft CHAP (MS-CHAP)

Uncheck: Shiva Password Authentication Protocol (SPAP)

Uncheck: Allow older MS-CHAP version for Windows 95 servers

Uncheck: Microsoft CHAP Version 2 (MS-CHAP v2)

Check: Accept any authentication including clear-text

Uncheck: Require data encryption

Uncheck: Require encryption (disconnect if server declines)

Uncheck: Maximum strength encryption (disconnect if server declines)

This widget could not be displayed.