Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

ACL for nwebies.

I, unfortunately, don't have the luxury of training myself in Cisco, nor of reading anything in-depth. While the IOS manual clearly states how to create and apply ACLs, I need some help on where to apply them, and how not to cut my entire building off when I apply them to the border router.

Specifically, I'm looking to deny any inbound tcp to the 135-139/netbios and 445/w2k-netbios ports.

I'm doing this on a 2600 series router with IOS 12.2.

Can someone help me, or point me to a useful link?

Thanks.

-Robby

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ACL for nwebies.

Assuming your outside interface is say, Serial0, you'd do the following:

access-list 100 deny tcp any any range 135 139

access-list 100 deny tcp any any eq 445

access-list 100 permit ip any any

interface Serial0

ip access-group 100 in

If you want to be more specific and just block those ports going to your specific inside subnet (say it's 100.1.1.0/24), then just replace the 2nd "any" in each line with "100.1.1.0 0.0.0.255"

Keep in mind that some Netbios traffc is UDP, so you might want to block that also, simply by adding another access-list line in similar to what I've shown but with "udp" instead of "tcp".

4 REPLIES
Cisco Employee

Re: ACL for nwebies.

Assuming your outside interface is say, Serial0, you'd do the following:

access-list 100 deny tcp any any range 135 139

access-list 100 deny tcp any any eq 445

access-list 100 permit ip any any

interface Serial0

ip access-group 100 in

If you want to be more specific and just block those ports going to your specific inside subnet (say it's 100.1.1.0/24), then just replace the 2nd "any" in each line with "100.1.1.0 0.0.0.255"

Keep in mind that some Netbios traffc is UDP, so you might want to block that also, simply by adding another access-list line in similar to what I've shown but with "udp" instead of "tcp".

New Member

Re: ACL for nwebies.

Thank you very much.

That's exactly what I needed.

Do you all know a place to get more implementation oriented information about IOS?

The manuals are all I can find.

-Robby

New Member

Re: ACL for nwebies.

Get the ICND book its great for the basics and getting to grips with the real world.

By the way are you in a completely W2K environment?

New Member

Re: ACL for nwebies.

What does ICND stand for? (Sorry, I'm REALLY new at this and have no real choice but to suddenly be good at it.)

No. We're in a mixed 9x/NT/2k environment. Why?

-Robby

80
Views
0
Helpful
4
Replies
CreatePlease to create content