Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

help: how to Block open port on a 1700 router

Status
Not open for further replies.
bccla

bccla

MIS
Joined
Oct 11, 2006
Messages
2
Location
US
I have a 1700 router in the office that is allowing certain ports open: e.g. smtp (25) DNS (53), etc.

I am trying to deny access to these port using the access-list but tests indicate that the ports (25, 53, etc.) are still open. Below is part of my config.

Please help how to block the ports!!!!


ip access-list extended outside
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any time-exceeded

permit tcp any host xx.xx.xx.xx eq 3389
permit tcp any host xx.xx.xx.xx eq ftp
deny tcp any smtp host xx.xx.xx.xx
deny tcp any 53 host xx.xx.xx.xx
 
Sort by date Sort by votes
Rewrite your ACL as follows:

ip access-list extended outside
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any time-exceeded

permit tcp any host xx.xx.xx.xx eq 3389
permit tcp any host xx.xx.xx.xx eq ftp
deny tcp any host xx.xx.xx.xx eq smtp
deny udp any host xx.xx.xx.xx eq 53
deny tcp any host xx.xx.xx.xx eq 53
 
Upvote 0 Downvote


..also build in some protection on those access list to not let in the obvious

access-list 111 permit tcp any host 1.1.1.1 eq www
access-list 111 permit tcp any host 1.1.1.1 eq ftp
access-list 111 permit tcp any host 1.1.1.1 eq smtp
access-list 111 permit tcp any host 1.1.1.1 eq 3389
access-list 111 permit tcp any host 1.1.1.2 eq 3392
access-list 111 permit tcp any host 1.1.1.3 eq 3393
access-list 111 permit tcp any host 1.1.1.4 eq 3394
access-list 111 permit tcp any host 1.1.1.5 eq 3395
access-list 111 permit tcp any host 1.1.1.1 eq 8000
access-list 111 permit tcp any host 1.1.1.50 eq telnet
access-list 111 deny ip 1.1.1.1 0.0.255.255 any log <--------dont let my internal ip in from the outside
access-list 111 deny ip 127.0.0.0 0.255.255.255 any log <--------i wont let loopback range either
access-list 111 deny ip 169.254.0.0 0.0.255.255 any log <-------- etc;
access-list 111 deny ip 10.0.0.0 0.255.255.255 any log <--------etc;
access-list 111 deny ip 0.0.0.0 0.255.255.255 any log <--------etc;
access-list 111 deny ip 172.16.0.0 0.15.255.255 any log <--------etc;
access-list 111 deny ip host 0.0.0.0 any log <--------etc;
access-list 111 deny icmp any any redirect log <--------etc
access-list 111 deny ip any any


also check out how i allow mulitple remote desktop remote session to different pc's inside my lan (from wan)


ip nat inside source static tcp 1.1.1.1 3389 interface Dialer1 3389
ip nat inside source static tcp 1.1.1.2 3389 interface Dialer1 3392
ip nat inside source static tcp 1.1.1.3 3389 interface Dialer1 3393
ip nat inside source static tcp 1.1.1.4 3389 interface Dialer1 3394
ip nat inside source static tcp 1.1.1.5 3389 interface Dialer1 3395

when you have to append the port when doing this with remote desktop

2.2.2.2:3392



CCNP,CCSP,MCSE,Sec+,Net+,A+...
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Blackybear
  • Locked
  • Question Question
Cisco RV042G router
Replies
0
Views
353
Blackybear
Blackybear
CPM86
  • Locked
  • Question Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
581
CPM86
CPM86
Skip Rango
  • Locked
  • Question Question
how to backup cisco sg500-52p switch
Replies
1
Views
822
madwok
madwok
B
  • Locked
  • Question Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
424
badwolf1686
B
Jared R
  • Locked
  • Question Question
Cisco UC320W Paging Help
Replies
0
Views
712
Jared R
Jared R

Part and Inventory Search

Sponsor

Back
Top