[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Cisco 2500 Filter traffic by tcp port#

Posted on 2000-03-22
1
Medium Priority
?
589 Views
Last Modified: 2010-04-17
I have a cisco 2500 that I would like to enable packet filtering on I am looking to block inbound TCP port 139 (NetBios) and outbound 1027 (unknown service possible hacker activity) 200 points to anyone who can show me 1) if IOS on a 2500 can filter the packets. 2) how to make the config changes.
0
Comment
Question by:NFUNK
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 1

Accepted Solution

by:
dserna earned 800 total points
ID: 2647487
The IOS on the 2500 does come with traffic filtering (access-lists) so here is what you want to do,first you have to create an access-list like this:

router>enable
#conf t
router(config)#access-list 101 deny tcp any any eq  Netbios
router(config)#access-list 101 permit tcp any any
router(config)#access-list 102 deny tcp any any eq 1027
router(config)#access-list 102 permit tcp any any
router(config)#interface Ethernet0
router(config-if)#ip access-group 101 in
router(config-if)#<ctrl><z>
router#conf t
router(config)#interface Ethernet1
router(config-if)#ip access-group 102 out
router(config-if)#<ctrl><z>
router#copy run start

So the above is an example of how to create access-lists to suit you need. The creation of extended access-list 101 is block tcp netbios traffic and to let all other tcp traffic through. If you don't put the permit tcp any any after the first access-list statement, there is an implicit deny all which will block all tcp traffic(not good). So that is why you need the second access-list line. The second access-list 102 is to not let any traffic from tcp port 1027 leave your network. I assumed that  you have at least two interfaces on your router? One outbound and one inbound? Thus in my example, I assume that Ethernet0 is your inbound interface,(that's why I applied access-group 101 in on that interface). Ethernet1 inmy example is the outbound interface and that is why I placed access-group 102 out on that interface.

Hope that helps.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question