Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Default ACL for multiple sub-interfaces

As our 7206 has multiple sub-interfaces for our Internet clients, I'm looking at a generic ACL I can apply to each one to deny things like netbios traffic, telnet access etc, but still allowing them full internet access...eg.

(Just logging all for debugging purposes)

access-list 132 deny udp any eq netbios-dgm any log-input

access-list 132 deny udp any eq netbios-ns any log-input

access-list 132 deny udp any eq netbios-ss any log-input

access-list 132 deny tcp any eq 137 any log-input

access-list 132 deny tcp any eq 138 any log-input

access-list 132 deny tcp any eq 139 any log-input

access-list 132 deny tcp any eq 23 any log-input

access-list 132 permit ip any any

But I can't see a way to have a default deny policy, without killing there Interenet connection..

Any suggestions/Comments are greatly appreciated.

Regards,

MB

3 REPLIES
New Member

Re: Default ACL for multiple sub-interfaces

That acl shouldn’t kill their internet access. I don’t see the problem.

New Member

Re: Default ACL for multiple sub-interfaces

You seem to be filtering on source ports in your ACL - this isn't a good idea since most protocols use

random high ports as the source port. A better strategy would be to filter on the destination port

which is (usually!) more predictable.

Two additional suggestions

If you're going after command line tools, be aware that you may want to consider

filtering SSH and the BSD r* commands as well. It depends on why you want

to filter Telnet.

Also, Windows 2000 also uses TCP 445 as a replacement for the famous 137, 138 (UDP) 139 (TCP) - instead of doing NBT as Windows NT 4 does, Windows 2000 allows you to run SMB directly over TCP, getting rid of the NBT middleman. Consider filtering that as well if you've got

Win2k clients.

-Rakesh

New Member

Re: Default ACL for multiple sub-interfaces

How do I stop (Windows 2000 allows you to run SMB directly over TCP) from happing do I need to block port 445 ? or is there any other way they can communicate even after blocking port 445 .

thanks in advance

jith

180
Views
0
Helpful
3
Replies