Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Blocking ports with ACL 1

Status
Not open for further replies.
savagecurtis

savagecurtis

MIS
Nov 5, 2003
9
0
0
US
OK. My question is similar to this thread:

thread557-699450 a more detailed.

I want to block port 135. My server keeps recieving/sending packets from this port. I have tried adding access-lists in my Cisco 802 router such as:

access-list 121 deny tcp any any eq 135
access-list 121 deny tcp any eq 135 any

ect....but I am still seeing these packets reach my server. I added these filters to list 121 because that is an existing list configured in the router (before I came here).

Do you have to set the access list to certain interfaces for it to work? If I look in the startup/running config I can see under the "Ethernet0" interface "ip access-group 121 in" ....which I am assuming sets the access group 121 to that interface. Am I even close to the right track here????

Also, right before the port 135 packets show up, i usually see a couple ICMP packets go to and from the IP address that then sends the packets to port 135. Do I need to do something with the tcp flag status?

I would really appreciate help with this...I feel very lost :(

Thanks

P.S. I know this sounds like Blaster...but i have the patch installed, and the removal tool does not find blaster! >_<
 
Sort by date Sort by votes
&quot;ip access-group 121 in&quot; this command on the ethernet interface will block traffic going into the ethernet interface. From your description this is not exactly what you want and this then should be turned in the opposite direction to look at the traffic going out of the ethernet.

I take it you are aware that the port you are trying to block is used by Microsoft for.... well pretty much everything so any mapped drives etc coming through the router will be dropped
 
Upvote 0 Downvote
You may aslo want to block the UDP port as well as the TCP one depending upon your reasons for blocking the port.
 
Upvote 0 Downvote
but shouldn't &quot;ip access-group 121 in&quot; stop these packets from reaching my machine? The packets are still coming in with a destination port of 135.

I will add the &quot;ip access-group 121 out&quot; command and see what happens.

thanks
 
Upvote 0 Downvote
Can you post the running-config?

Also check the access-list doesn't have some statement before the statements you've added which would allow those packets through. Access-list are executed &quot;top down&quot;, so the router will start at the first statement and work it's way through the statements in order. As soon as it finds a statement that matches, it executes that statement and ignores any subsequent statements in the list.
 
Upvote 0 Downvote
Thanks techkiwi,

the &quot;top down&quot; issue was my problem. There was an allow statement that was being executed before my deny statement.

thnks again :)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

BleuBell
  • Locked
  • Question
Command Rejected : Exceeded NNI ports Allowed
Replies
0
Views
53
BleuBell
BleuBell
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat
Replies
1
Views
90
BIS
BIS
inlsp05
  • Locked
  • Question
2811 ios start with cf
Replies
0
Views
47
inlsp05
inlsp05
khashyar2021
  • Locked
  • Question
Problem with cisco switch after upgrading
Replies
1
Views
74
Geraldine Souza
Geraldine Souza
Mogles49
  • Locked
  • Question
Firewall ACL question
Replies
1
Views
53
burtsbees
burtsbees

Part and Inventory Search

Sponsor

Back
Top