Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

What am i doing wrong in this access-list?

I order to limit the options a dial-up users can use i am trying to deploy some access-list. I am trying to deploy the access-list on the interfaces virtual-template,group-async and dialer on an AS5300.

I tried something like this.

ip access-list extended dial-up

permit tcp any our.own.sub.net wi.ld.ca.rd neq 111

permit tcp any our.own.sub.net wi.ld.ca.rd neq 1023

permit tcp any our.own.sub.net wi.ld.ca.rd neq 139

permit tcp any our.own.sub.net wi.ld.ca.rd neq 389

permit tcp any our.own.sub.net wi.ld.ca.rd neq 135

permit tcp any our.own.sub.net wi.ld.ca.rd neq 445

permit tcp any our.own.sub.net wi.ld.ca.rd neq 2001

permit tcp any our.own.sub.net wi.ld.ca.rd neq 2049

permit tcp any our.own.sub.net wi.ld.ca.rd neq 4001

permit tcp any our.own.sub.net wi.ld.ca.rd neq 4045

permit tcp any our.own.sub.net wi.ld.ca.rd neq 6001

permit tcp any our.own.sub.net wi.ld.ca.rd neq 6112

permit tcp any our.own.sub.net wi.ld.ca.rd neq 9001

permit tcp any our.own.sub.net wi.ld.ca.rd neq 9100

permit tcp any our.own.sub.net wi.ld.ca.rd neq 3306

permit tcp any our.own.sub.net wi.ld.ca.rd neq 3389

permit udp any our.own.sub.net wi.ld.ca.rd neq bootps

permit udp any our.own.sub.net wi.ld.ca.rd neq 42

permit udp any our.own.sub.net wi.ld.ca.rd neq 67

permit udp any our.own.sub.net wi.ld.ca.rd neq 69

permit udp any our.own.sub.net wi.ld.ca.rd neq 137

permit udp any our.own.sub.net wi.ld.ca.rd neq 138

permit udp any our.own.sub.net wi.ld.ca.rd neq 514

permit udp any our.own.sub.net wi.ld.ca.rd neq 2049

permit udp any our.own.sub.net wi.ld.ca.rd neq 135

permit udp any our.own.sub.net wi.ld.ca.rd neq 445

permit udp any our.own.sub.net wi.ld.ca.rd neq 2049

permit udp any our.own.sub.net wi.ld.ca.rd neq syslog

permit udp any our.own.sub.net wi.ld.ca.rd neq nameserver

permit udp any our.own.sub.net wi.ld.ca.rd neq tftp

I thought this was the way to block the ports i don't like. But when i am doing a portscan as a dial-up user i still see these ports open on a server.

What am i doing wrong?

Regards,

Martijn Koopsen

1 REPLY
Cisco Employee

Re: What am i doing wrong in this access-list?

An ACL is an order-sensitive list of rules. Rules will be evaluated from top to bottom. Consider the first rule in your ACL "permit tcp any our.own.sub.net wi.ld.ca.rd neq 111". This rule will permit all TCP traffic whose dest. port is not equal to 111. Hence, during the portscan, all traffic thats not having dest. port of 111 will be permitted by this rule. Since the ACL is looked up from top to bottom, the first matching rule will decide the fate of packet. If you want to block a set of ports, you should specifically "deny" that traffic. An example would be "deny tcp any our.own.sub.net wi.ld.ca.rd eq 111". Also, note that an ACL will block all traffic for which no rules matched. Hence, if you want to specifically block certain ports and allow the remaining, you should insert a "permit tcp any any" at the end.

Hope this helps,

Ganesh.

ACL Manager team,

Cisco Systems.

87
Views
0
Helpful
1
Replies
CreatePlease to create content