Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Help with block a range of port to an IP

We have a Cisco 1841.

Fast0/0 with 30.104.104.2 (IP to ISP)

FAST0/1 with 30.103.103.129/27 (our public ip block)

I like to specifically block any incoming (from internet) access from port 1-1024 to only 30.103.103.135 (one of our public systems)

How can I do that?

I have tried:

access-list 101 deny tcp any lt 1025 host 30.103.103.135

the moment I apply it to either fast0/0 or 1, it cut all access. could someone help?

Thanks in advance

7 REPLIES
Hall of Fame Super Blue

Re: Help with block a range of port to an IP

Hi

Okay firstly there is an implict deny at the end of any access-list so you need to modify your access-list to

access-list 101 deny tcp any lt 1025 host 30.103.103.135

access-list 101 permit ip any any

Secondly this access-list is blocking any IP address on port 1 -> 1024 connecting to 30.103.103.135 on any port. Is this what you actually want or do you want to stop any IP connecting to 30.103.103.135 on ports 1 -> 1024 ?

Jon

New Member

Re: Help with block a range of port to an IP

Hi Jon,

I want to stop any IP connecting to 30.103.103.135 on ports 1 -> 1024, anything above 1024 is allowed.

Does it matter if I apply the access list to FAST0/0 or FAST0/1?

Hall of Fame Super Silver

Re: Help with block a range of port to an IP

Ken

In your case I believe that the same access list could be used on either FA0/0 or on FA0/1. On FA0/0 (connecting to ISP) it would be applied as inbound. On FA0/1 (connecting to your LAN) it would be applied outbound.

HTH

Rick

Hall of Fame Super Blue

Re: Help with block a range of port to an IP

Ken

Agree with Rick on which direction to apply.

I am still unsure as to which ports ? When you say port 1 -1024 is that

1) ports 1 - 1024 on any IP connecting 30.103.103.135 ie. the source port from any IP

or

2) ports 1 - 1024 on 30.103.103.135

If 1) your access-list is correct

If 2) you need to modify

access-list 101 deny tcp any host 30.103.103.135 lt 1025

HTH

Jon

New Member

Re: Help with block a range of port to an IP

Thank you very much for all your help. I will test it out later today.

I will change the access-list to case(2) which is what we want.

New Member

Re: Help with block a range of port to an IP

It only seems to work with

access-list 101 deny tcp any host 30.103.103.135 range 1 1024.

not lt 1025. But at least it seems to be working.

Thanks a lot.

Hall of Fame Super Silver

Re: Help with block a range of port to an IP

Ken

I am glad that you got it working. Thanks for posting back to the forum, indicating that it was working and what you did to get it to work. It helps the forum when we can see the solution to the issue that was raised.

HTH

Rick

125
Views
5
Helpful
7
Replies