04-14-2003 05:24 AM - edited 02-20-2020 09:21 PM
I order to limit the options a dial-up users can use i am trying to deploy some access-list. I am trying to deploy the access-list on the interfaces virtual-template,group-async and dialer on an AS5300.
I tried something like this.
ip access-list extended dial-up
permit tcp any our.own.sub.net wi.ld.ca.rd neq 111
permit tcp any our.own.sub.net wi.ld.ca.rd neq 1023
permit tcp any our.own.sub.net wi.ld.ca.rd neq 139
permit tcp any our.own.sub.net wi.ld.ca.rd neq 389
permit tcp any our.own.sub.net wi.ld.ca.rd neq 135
permit tcp any our.own.sub.net wi.ld.ca.rd neq 445
permit tcp any our.own.sub.net wi.ld.ca.rd neq 2001
permit tcp any our.own.sub.net wi.ld.ca.rd neq 2049
permit tcp any our.own.sub.net wi.ld.ca.rd neq 4001
permit tcp any our.own.sub.net wi.ld.ca.rd neq 4045
permit tcp any our.own.sub.net wi.ld.ca.rd neq 6001
permit tcp any our.own.sub.net wi.ld.ca.rd neq 6112
permit tcp any our.own.sub.net wi.ld.ca.rd neq 9001
permit tcp any our.own.sub.net wi.ld.ca.rd neq 9100
permit tcp any our.own.sub.net wi.ld.ca.rd neq 3306
permit tcp any our.own.sub.net wi.ld.ca.rd neq 3389
permit udp any our.own.sub.net wi.ld.ca.rd neq bootps
permit udp any our.own.sub.net wi.ld.ca.rd neq 42
permit udp any our.own.sub.net wi.ld.ca.rd neq 67
permit udp any our.own.sub.net wi.ld.ca.rd neq 69
permit udp any our.own.sub.net wi.ld.ca.rd neq 137
permit udp any our.own.sub.net wi.ld.ca.rd neq 138
permit udp any our.own.sub.net wi.ld.ca.rd neq 514
permit udp any our.own.sub.net wi.ld.ca.rd neq 2049
permit udp any our.own.sub.net wi.ld.ca.rd neq 135
permit udp any our.own.sub.net wi.ld.ca.rd neq 445
permit udp any our.own.sub.net wi.ld.ca.rd neq 2049
permit udp any our.own.sub.net wi.ld.ca.rd neq syslog
permit udp any our.own.sub.net wi.ld.ca.rd neq nameserver
permit udp any our.own.sub.net wi.ld.ca.rd neq tftp
I thought this was the way to block the ports i don't like. But when i am doing a portscan as a dial-up user i still see these ports open on a server.
What am i doing wrong?
Regards,
Martijn Koopsen
04-14-2003 05:47 AM
An ACL is an order-sensitive list of rules. Rules will be evaluated from top to bottom. Consider the first rule in your ACL "permit tcp any our.own.sub.net wi.ld.ca.rd neq 111". This rule will permit all TCP traffic whose dest. port is not equal to 111. Hence, during the portscan, all traffic thats not having dest. port of 111 will be permitted by this rule. Since the ACL is looked up from top to bottom, the first matching rule will decide the fate of packet. If you want to block a set of ports, you should specifically "deny" that traffic. An example would be "deny tcp any our.own.sub.net wi.ld.ca.rd eq 111". Also, note that an ACL will block all traffic for which no rules matched. Hence, if you want to specifically block certain ports and allow the remaining, you should insert a "permit tcp any any" at the end.
Hope this helps,
Ganesh.
ACL Manager team,
Cisco Systems.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide