Solved

Cisco 2500 Filter traffic by tcp port#

Posted on 2000-03-22
1
543 Views
Last Modified: 2010-04-17
I have a cisco 2500 that I would like to enable packet filtering on I am looking to block inbound TCP port 139 (NetBios) and outbound 1027 (unknown service possible hacker activity) 200 points to anyone who can show me 1) if IOS on a 2500 can filter the packets. 2) how to make the config changes.
0
Comment
Question by:NFUNK
1 Comment
 
LVL 1

Accepted Solution

by:
dserna earned 200 total points
ID: 2647487
The IOS on the 2500 does come with traffic filtering (access-lists) so here is what you want to do,first you have to create an access-list like this:

router>enable
#conf t
router(config)#access-list 101 deny tcp any any eq  Netbios
router(config)#access-list 101 permit tcp any any
router(config)#access-list 102 deny tcp any any eq 1027
router(config)#access-list 102 permit tcp any any
router(config)#interface Ethernet0
router(config-if)#ip access-group 101 in
router(config-if)#<ctrl><z>
router#conf t
router(config)#interface Ethernet1
router(config-if)#ip access-group 102 out
router(config-if)#<ctrl><z>
router#copy run start

So the above is an example of how to create access-lists to suit you need. The creation of extended access-list 101 is block tcp netbios traffic and to let all other tcp traffic through. If you don't put the permit tcp any any after the first access-list statement, there is an implicit deny all which will block all tcp traffic(not good). So that is why you need the second access-list line. The second access-list 102 is to not let any traffic from tcp port 1027 leave your network. I assumed that  you have at least two interfaces on your router? One outbound and one inbound? Thus in my example, I assume that Ethernet0 is your inbound interface,(that's why I applied access-group 101 in on that interface). Ethernet1 inmy example is the outbound interface and that is why I placed access-group 102 out on that interface.

Hope that helps.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Network Config 9 72
Need to separate small office by VLAN... 3 56
New TWC modem/router breaks network 53 72
Cost effective dual wan w/ qos 5 29
Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

28 Experts available now in Live!

Get 1:1 Help Now