Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

What am i doing wrong in this access-list?

I order to limit the options a dial-up users can use i am trying to deploy some access-list. I am trying to deploy the access-list on the interfaces virtual-template,group-async and dialer on an AS5300.

I tried something like this.

ip access-list extended dial-up

permit tcp any neq 111

permit tcp any neq 1023

permit tcp any neq 139

permit tcp any neq 389

permit tcp any neq 135

permit tcp any neq 445

permit tcp any neq 2001

permit tcp any neq 2049

permit tcp any neq 4001

permit tcp any neq 4045

permit tcp any neq 6001

permit tcp any neq 6112

permit tcp any neq 9001

permit tcp any neq 9100

permit tcp any neq 3306

permit tcp any neq 3389

permit udp any neq bootps

permit udp any neq 42

permit udp any neq 67

permit udp any neq 69

permit udp any neq 137

permit udp any neq 138

permit udp any neq 514

permit udp any neq 2049

permit udp any neq 135

permit udp any neq 445

permit udp any neq 2049

permit udp any neq syslog

permit udp any neq nameserver

permit udp any neq tftp

I thought this was the way to block the ports i don't like. But when i am doing a portscan as a dial-up user i still see these ports open on a server.

What am i doing wrong?


Martijn Koopsen

Cisco Employee

Re: What am i doing wrong in this access-list?

An ACL is an order-sensitive list of rules. Rules will be evaluated from top to bottom. Consider the first rule in your ACL "permit tcp any neq 111". This rule will permit all TCP traffic whose dest. port is not equal to 111. Hence, during the portscan, all traffic thats not having dest. port of 111 will be permitted by this rule. Since the ACL is looked up from top to bottom, the first matching rule will decide the fate of packet. If you want to block a set of ports, you should specifically "deny" that traffic. An example would be "deny tcp any eq 111". Also, note that an ACL will block all traffic for which no rules matched. Hence, if you want to specifically block certain ports and allow the remaining, you should insert a "permit tcp any any" at the end.

Hope this helps,


ACL Manager team,

Cisco Systems.

CreatePlease to create content