Solved

Cisco 2500 Filter traffic by tcp port#

Posted on 2000-03-22
1
570 Views
Last Modified: 2010-04-17
I have a cisco 2500 that I would like to enable packet filtering on I am looking to block inbound TCP port 139 (NetBios) and outbound 1027 (unknown service possible hacker activity) 200 points to anyone who can show me 1) if IOS on a 2500 can filter the packets. 2) how to make the config changes.
0
Comment
Question by:NFUNK
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 1

Accepted Solution

by:
dserna earned 200 total points
ID: 2647487
The IOS on the 2500 does come with traffic filtering (access-lists) so here is what you want to do,first you have to create an access-list like this:

router>enable
#conf t
router(config)#access-list 101 deny tcp any any eq  Netbios
router(config)#access-list 101 permit tcp any any
router(config)#access-list 102 deny tcp any any eq 1027
router(config)#access-list 102 permit tcp any any
router(config)#interface Ethernet0
router(config-if)#ip access-group 101 in
router(config-if)#<ctrl><z>
router#conf t
router(config)#interface Ethernet1
router(config-if)#ip access-group 102 out
router(config-if)#<ctrl><z>
router#copy run start

So the above is an example of how to create access-lists to suit you need. The creation of extended access-list 101 is block tcp netbios traffic and to let all other tcp traffic through. If you don't put the permit tcp any any after the first access-list statement, there is an implicit deny all which will block all tcp traffic(not good). So that is why you need the second access-list line. The second access-list 102 is to not let any traffic from tcp port 1027 leave your network. I assumed that  you have at least two interfaces on your router? One outbound and one inbound? Thus in my example, I assume that Ethernet0 is your inbound interface,(that's why I applied access-group 101 in on that interface). Ethernet1 inmy example is the outbound interface and that is why I placed access-group 102 out on that interface.

Hope that helps.
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question