Proper syntax for access list to block ports 1

[bigvic66]

I would like to block TCP/UDP ports 135, 137-139 and 445 on my Cisco 2600 that serves as the buffer between my LAN and the Internet. I tried the following:

access-list 101 deny udp any any eq 135
access-list 101 deny udp any any eq 137
access-list 101 deny udp any any eq 138
access-list 101 deny udp any any eq 139
access-list 101 deny udp any any eq 445
access-list 101 deny tcp any any eq 135
access-list 101 deny tcp any any eq 137
access-list 101 deny tcp any any eq 138
access-list 101 deny tcp any any eq 139
access-list 101 deny tcp any any eq 445
access-list 101 permit ip any any

interface e0/0
ip access-group 101 in


But I still get those blasted pop-ups that use Windows 2000/XP messenger service. Any ideas? Did I apply to the wrong interface, maybe?

 

[mrmofong0]

Hi,
You want to apply the access list inbound on your outside interface. If that interface is E0/0 then you applied it to the right interface.

I usually make life easier and disable the Messenger service on all hosts unless there is a compelling reason to keep it.

Hope that helps.

-MM