Solved

Cisco 2500 Filter traffic by tcp port#

Posted on 2000-03-22
1
575 Views
Last Modified: 2010-04-17
I have a cisco 2500 that I would like to enable packet filtering on I am looking to block inbound TCP port 139 (NetBios) and outbound 1027 (unknown service possible hacker activity) 200 points to anyone who can show me 1) if IOS on a 2500 can filter the packets. 2) how to make the config changes.
0
Comment
Question by:NFUNK
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 1

Accepted Solution

by:
dserna earned 200 total points
ID: 2647487
The IOS on the 2500 does come with traffic filtering (access-lists) so here is what you want to do,first you have to create an access-list like this:

router>enable
#conf t
router(config)#access-list 101 deny tcp any any eq  Netbios
router(config)#access-list 101 permit tcp any any
router(config)#access-list 102 deny tcp any any eq 1027
router(config)#access-list 102 permit tcp any any
router(config)#interface Ethernet0
router(config-if)#ip access-group 101 in
router(config-if)#<ctrl><z>
router#conf t
router(config)#interface Ethernet1
router(config-if)#ip access-group 102 out
router(config-if)#<ctrl><z>
router#copy run start

So the above is an example of how to create access-lists to suit you need. The creation of extended access-list 101 is block tcp netbios traffic and to let all other tcp traffic through. If you don't put the permit tcp any any after the first access-list statement, there is an implicit deny all which will block all tcp traffic(not good). So that is why you need the second access-list line. The second access-list 102 is to not let any traffic from tcp port 1027 leave your network. I assumed that  you have at least two interfaces on your router? One outbound and one inbound? Thus in my example, I assume that Ethernet0 is your inbound interface,(that's why I applied access-group 101 in on that interface). Ethernet1 inmy example is the outbound interface and that is why I placed access-group 102 out on that interface.

Hope that helps.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question