sknepsheld
ISP
Can anyone perhaps help me on information for setting up and understanding access-list on my Cisco 2610
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
understanding and setting up access-list on a Cisco 2610 1
- Thread starter sknepsheld
- Start date
- Status
- Thread starter
- #3
sknepsheld
ISP
Hi
I need to replace a Digi Retoura Router at a customer with a Cisco 805 the router will connect to a Cisco 2610 by me.I need to setup an access-list on the 805 to stop port 445 transmitting through the router (805).This happens and fill up there line to me and I need to stop port 445 traffic before it goes out on the line
Hope it makes sense
I need to replace a Digi Retoura Router at a customer with a Cisco 805 the router will connect to a Cisco 2610 by me.I need to setup an access-list on the 805 to stop port 445 transmitting through the router (805).This happens and fill up there line to me and I need to stop port 445 traffic before it goes out on the line
Hope it makes sense
-
1
- #4
Parcival21
Technical User
Hi,
Im global config mode
access list 101 deny tcp any any eq 445
dann auf das/die Interface(s) gehen und folgendes eingeben:
ip access-group 101 in
This is only for tcp traffic.
If you need other protocols you need to include them in your acceslist to.
I don't know if the following works:
access list 101 deny ip any any eq 445
Hope this helps,
busche
Im global config mode
access list 101 deny tcp any any eq 445
dann auf das/die Interface(s) gehen und folgendes eingeben:
ip access-group 101 in
This is only for tcp traffic.
If you need other protocols you need to include them in your acceslist to.
I don't know if the following works:
access list 101 deny ip any any eq 445
Hope this helps,
busche
Parcival21
Technical User
sorry,
if you want to block outgoing traffic you need to put in "out" instead of "in
if you want to block outgoing traffic you need to put in "out" instead of "in
- Thread starter
- #6
sknepsheld
ISP
This is what the config looks like but still no luck pc's behind this router keeps broadcasting dat from ip x.x.x.x:xxxx to x.x.x.x:445 the port it comes from differs but it is trying to reach port 445
interface Ethernet0
description *** LINK TO LAN ***
ip address 192.15.213.193 255.255.255.248 secondary
ip address 10.0.4.1 255.255.255.0
ip access-group 110 in
ip access-group 110 out
access-list 110 deny tcp any any eq 135
access-list 110 deny udp any any eq 135
access-list 110 deny udp any any eq tftp
access-list 110 deny udp any any eq netbios-ns
access-list 110 deny udp any any eq netbios-dgm
access-list 110 deny udp any any eq netbios-ss
access-list 110 deny udp any any eq 445
access-list 110 deny udp any any eq 593
access-list 110 permit ip any any
access-list 110 deny tcp any any eq 445
interface Ethernet0
description *** LINK TO LAN ***
ip address 192.15.213.193 255.255.255.248 secondary
ip address 10.0.4.1 255.255.255.0
ip access-group 110 in
ip access-group 110 out
access-list 110 deny tcp any any eq 135
access-list 110 deny udp any any eq 135
access-list 110 deny udp any any eq tftp
access-list 110 deny udp any any eq netbios-ns
access-list 110 deny udp any any eq netbios-dgm
access-list 110 deny udp any any eq netbios-ss
access-list 110 deny udp any any eq 445
access-list 110 deny udp any any eq 593
access-list 110 permit ip any any
access-list 110 deny tcp any any eq 445
Parcival21
Technical User
Hi there,
The access list will not reach your last statement.
Access lists will always look after the first rule that will match the packet that has to be sent. The rules that follow will not be looked after.
YOu have to change to the following:
access-list 110 deny tcp any any eq 445
access-list 110 deny tcp any any eq 135
access-list 110 deny udp any any eq 135
access-list 110 deny udp any any eq tftp
access-list 110 deny udp any any eq netbios-ns
access-list 110 deny udp any any eq netbios-dgm
access-list 110 deny udp any any eq netbios-ss
access-list 110 deny udp any any eq 445
access-list 110 deny udp any any eq 593
access-list 110 permit ip any any
bye,
busche
The access list will not reach your last statement.
Access lists will always look after the first rule that will match the packet that has to be sent. The rules that follow will not be looked after.
YOu have to change to the following:
access-list 110 deny tcp any any eq 445
access-list 110 deny tcp any any eq 135
access-list 110 deny udp any any eq 135
access-list 110 deny udp any any eq tftp
access-list 110 deny udp any any eq netbios-ns
access-list 110 deny udp any any eq netbios-dgm
access-list 110 deny udp any any eq netbios-ss
access-list 110 deny udp any any eq 445
access-list 110 deny udp any any eq 593
access-list 110 permit ip any any
bye,
busche
- Thread starter
- #8
sknepsheld
ISP
Thank you very much it is workinh perfectly ,never to old to learn.Can I set rate-limit on the 805 on the client side ? they have a 64k Digital Leased Line and they only pay for 32k how can I limit the speed to 32k on the 805.I do have rate-limit setup on my 2610 for the connection but I think it is better to set it up on the client side.
this is what the rate-limit looks like :
rate-limit input 32000 6000 12000 conform-action continue exceed-action drop
rate-limit output 32000 6000 12000 conform-action continue exceed-action drop
this is what the rate-limit looks like :
rate-limit input 32000 6000 12000 conform-action continue exceed-action drop
rate-limit output 32000 6000 12000 conform-action continue exceed-action drop
- Status
Similar threads
- Locked
- Question