?
Solved

Cisco ACL allow port range

Posted on 2008-10-07
11
Medium Priority
?
1,137 Views
Last Modified: 2012-05-05
We have a Cisco 2600 that we use ACL's to control inbound access.  I have a need to open 1000 ports (a range from 1024 to 2048) to one IP address.  Rather than add over 1,000 lines to my access list, is there a way I can define this range?
I tried:
permit tcp any xxx.xxx.xxx.xxx range 1024 2048

That does not seem to work, but I also do not get any errors when entering this command.
0
Comment
Question by:Frank McCourry
  • 4
  • 2
  • 2
  • +2
11 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22662806
Can you post a "show access-list"?  There may be a "deny" above the permit statement you just added.  If so, remove the deny and add it back in (or leave it out as there is an implicit deny at the end of the list).
0
 
LVL 9

Author Comment

by:Frank McCourry
ID: 22662863
Here  it is.  Iv'e substituted our network addresses for secuity reasons.  It's pretty straight forward.  none of the leading deny statement contain any of our network addreses.

remark ***Denys for abuse***
 deny   ip 216.207.3.136 0.0.0.7 any
 deny   ip host 209.196.17.45 any
 deny   ip host 219.154.96.125 any
 deny   ip host 65.91.77.12 any
 deny   ip host 220.162.244.78 any
 deny   ip host 198.78.216.124 any
 deny   ip 210.124.184.0 0.0.0.255 any
 remark ***Routers***
 permit ip any host xxx.xxx.xxx.2
 permit ip any host xxx.xxx.xxx.3
 permit ip any host xxx.xxx.xxx.4
 permit ip any host xxx.xxx.xxx.5
 permit ip any host xxx.xxx.xxx.6
 permit ip any host xxx.xxx.xxx.7
 permit ip any host xxx.xxx.xxx.8
 permit ip any host xxx.xxx.xxx.9
 permit ip any host xxx.xxx.xxx.16
 remark ***FTP***
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq ftp
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq ftp-data
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq ftp
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq ftp-data
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq ftp
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq ftp-data
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq ftp
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq ftp-data
 remark ***email***
 permit tcp any host xxx.xxx.xxx.131 eq 366
 permit tcp any host xxx.xxx.xxx.131 eq 587
 permit tcp any host xxx.xxx.xxx.131 eq pop3
 permit tcp any host xxx.xxx.xxx.131 eq 995
 permit tcp any host xxx.xxx.xxx.131 eq smtp
 permit tcp any host xxx.xxx.xxx.132 eq 366
 permit tcp any host xxx.xxx.xxx.132 eq 587
 permit tcp any host xxx.xxx.xxx.132 eq pop3
 permit tcp any host xxx.xxx.xxx.132 eq 995
 permit tcp any host xxx.xxx.xxx.132 eq smtp
 permit tcp any host xxx.xxx.xxx.135 eq 366
 permit tcp any host xxx.xxx.xxx.135 eq 587
 permit tcp any host xxx.xxx.xxx.135 eq pop3
 permit tcp any host xxx.xxx.xxx.135 eq 995
 permit tcp any host xxx.xxx.xxx.135 eq smtp
 remark ***monitor***
 permit udp any host xxx.xxx.xxx.128 eq syslog
 permit tcp any host xxx.xxx.xxx.122 eq 82
 remark ***DNS***
 permit udp any host xxx.xxx.xxx.104 eq domain
 permit udp any host xxx.xxx.xxx.105 eq domain
 permit tcp any host xxx.xxx.xxx.104 eq domain
 permit tcp any host xxx.xxx.xxx.105 eq domain
 remark ***WEB***
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq www
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq www
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq www
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq www
 remark ***NovaStor***
 permit tcp any host xxx.xxx.xxx.125 eq 308
 remark ***Secure Web***
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq 443
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq 443
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq 443
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq 443
 remark ***SQL***
 permit tcp any host xxx.xxx.xxx.121 eq 1433
 permit tcp any host xxx.xxx.xxx.127 eq 1433
 permit tcp any host xxx.xxx.xxx.143 eq 1433
 permit tcp any host xxx.xxx.xxx.153 eq 1433
 permit tcp any host xxx.xxx.xxx.160 eq 1433
 remark ***Remote Backup Server***
 permit tcp any host xxx.xxx.xxx.125 eq 2774
 permit udp any host xxx.xxx.xxx.125 eq 2774
 permit tcp any host xxx.xxx.xxx.125 range 1024 2048
 permit udp any host xxx.xxx.xxx.125 range 1024 2048
 remark ***Video Streaming***
 permit tcp any host xxx.xxx.xxx.100 eq 1755
 permit udp any host xxx.xxx.xxx.100 eq 1755
 permit tcp any host xxx.xxx.xxx.100 eq 554
 permit udp any host xxx.xxx.xxx.100 eq 5005
 remark ***MySQL***
 permit tcp any host xxx.xxx.xxx.102 eq 3306
 remark ***Terminal Services***
 permit tcp any host xxx.xxx.xxx.131 eq 3389
 permit tcp any host xxx.xxx.xxx.150 eq 3389
 permit tcp any host xxx.xxx.xxx.151 eq 3389
 permit tcp any host xxx.xxx.xxx.160 eq 3389
 remark ***Cameras***
 permit tcp any host xxx.xxx.xxx.1 eq 5120
 permit udp any host xxx.xxx.xxx.1 eq 5120
 permit udp any host xxx.xxx.xxx.51 eq 5001
 permit udp any host xxx.xxx.xxx.51 eq 5002
 permit udp any host xxx.xxx.xxx.51 eq 5003
 permit tcp any host xxx.xxx.xxx.51 eq 5001
 permit tcp any host xxx.xxx.xxx.51 eq 5002
 permit tcp any host xxx.xxx.xxx.51 eq 5003
 remark ***ICMP***
 permit icmp any any
 remark ***Reflexive Evaluate***
 evaluate tcptraffic
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22662882
Access-list looks fine.  Do you have corresponding NAT entries or a 1-1 static NAT for this host?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 10

Accepted Solution

by:
ampranti earned 800 total points
ID: 22662924
At the bottom of the list add a statement

deny ip any any log

then initiate a connection in that port range, and check why is blocked.
0
 
LVL 9

Expert Comment

by:mgonullu
ID: 22662952
I know maybe it will seem naive, but what about using an excel to write the port numbers and then convert it to csv then import the commands as text in the IOS (load configuration)
0
 
LVL 9

Author Comment

by:Frank McCourry
ID: 22663110
JFrederick29: All of our addresses are public (shoulda said that) so there is no NAT used.
ampranti: Checking th logs does not indicate that there was anything denied.  Perhaps my software is not listening properly?

The software I am using initiates a connection on port 2774 then uses ports 1024 through 2048 for data transfer.  Kinda like a PASVFTP connection.   I would assume that just opening the ports would do the trick, but it appears that I may have to setup another reflexive list? Someone correct me if I am wrong, Please!  

I am assuming that both of you concur that my permit statemnet below should work?
 permit tcp any host xxx.xxx.xxx.125 range 1024 2048
 permit udp any host xxx.xxx.xxx.125 range 1024 2048
0
 
LVL 9

Author Comment

by:Frank McCourry
ID: 22663132
mgonullu: The only problem is that if I need to make changes to this list, which I do on a regular basis, it takes forever to load.  It is also processor intensive to parse a list that large, something I realy wnat to avoid.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 22663149
You could use the gt (greater than) lt (less than) function


permit tcp any xxx.xxx.xxx.xxx gt 1024
deny tcp any xxx.xxx.xxx.xxx gt 2048

Open in new window

0
 
LVL 10

Expert Comment

by:ampranti
ID: 22663184
ACL statement looks ok

Just a new idea:

ip inspect name myname ftp
int <outside>
    ip inspect myname in
0
 
LVL 9

Assisted Solution

by:mgonullu
mgonullu earned 200 total points
ID: 22663227
0
 
LVL 9

Author Closing Comment

by:Frank McCourry
ID: 31503978
I found the problem.  The Software vendor failed to specify that there are additional ports to be opened.  I've been chasing a ghost.  However, I am awarding points because ampranti gave me a diagnostic that helped me find this error.  mgonullu gets 50 points because of the excellent resource link and confirmation that I am indeed not crazy, though some would argue....

Thanks guys!
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question