Port blocking

[Hungster]

I am running the 1605R router using NAT, any chance i can block a certain Internal IP's port ?

thx

 

[wybnormal]

Sure.. NAT can use an access-list to provide access, deny access or filtering just as if it were a *real* interface.

!
ip nat inside source list 1 interface Ethernet1 overload
!
! list 1 is the access list

!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 1 permit 192.1.1.0 0.0.0.255
!
! permits these 3 ranges and denies everything else.


I have Cisco NAT docs at my site..

http://www.packetattack.com

MikeS
Find me at

http://www.packetattack.com

"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu

 

[Hungster]

Thanks Mike

what i meant is to block a certain port on a internal IP
say Port 80 on a certain ip


great site

 

[moetech]

I think that would be something like this...


access-list 101 deny tcp host 192.168.x.x 255.255.255.255 eq 80

and then apply it to your internal interface.

 

[Hungster]

thx moetech
eq doesn't work

 

[Hungster]

It is supposed to be
access-list 101 deny ip host 192.168.0.1 255.255.255.0 eq 80

 

[pixboy]

Actually, if you use "access-list deny ip host 192.168.0.1 eq 80" that should be sufficient. You don't need the netmask if you use "host". That's equivalent to 255.255.255.255.

 

[Hungster]

eq is invalid input

 

[scraig84]

Holy Cats!!! No offense to any of the previous people posting, but I have never seen so many people write an incorrect access list line. Pixboy is correct that the "host" keyword negates the need for a mask (and everybody that did write a mask in forgot to use reverse masking), but he forgot the list number. The right example would be:

access-list 101 deny tcp host 192.168.0.1 eq 80

HOWEVER, I have not seen anybody ask a critical question here - you want to block port 80, but in what direction? Are you trying to block this user from accessing outside resources on port 80 (browsing), or are you trying to block the internal resource from using port 80 as a source from the inside (because it is a web server)? If the latter, unless you have a static NAT to this device, nobody from the outside can access its web port anyway. If the former, then the access list would read a bit differently then above:

access-list 101 deny tcp host 192.168.0.1 any eq 80

Hopefully that helps!

 

[Hungster]

yes Scraig84 thx for the help

i am trying to block port like icq or msn so user or even browsing the net from inside network
yet they are all static ip address

 

[Hungster]

but the computer at the ip i block still work on browsing the net

any suggestion ?

 

[scraig84]

OK - if you are trying to block a certain IP from browsing and we'll say that interface e0 is the interface on the router. We'll also say that 192.168.1.100 is the user IP in question.

My list would look like this:

access-list 150 deny tcp host 192.168.1.100 any eq 80
access-list 150 permit ip any any

int e0
access-group 150 in

This will block web browsing for the user, but allow all other traffic. Remember that the "permit ip any any" statement always needs to be at the bottom of the list, so if you need to add statements to block more ports later, you will need to remove the list and reapply it in the correct order.

Hope that helps.

 

[Hungster]

thank you so much

 

[scraig84]

No problem - hopefully that gets you going down the right path!

 

[Hungster]

trying it tomorow