Cisco ACL allow port range

We have a Cisco 2600 that we use ACL's to control inbound access.  I have a need to open 1000 ports (a range from 1024 to 2048) to one IP address.  Rather than add over 1,000 lines to my access list, is there a way I can define this range?
I tried:
permit tcp any xxx.xxx.xxx.xxx range 1024 2048

That does not seem to work, but I also do not get any errors when entering this command.
LVL 9
Frank McCourryV.P. Holland Computers, Inc.Asked:
Who is Participating?
 
amprantiConnect With a Mentor Commented:
At the bottom of the list add a statement

deny ip any any log

then initiate a connection in that port range, and check why is blocked.
0
 
JFrederick29Commented:
Can you post a "show access-list"?  There may be a "deny" above the permit statement you just added.  If so, remove the deny and add it back in (or leave it out as there is an implicit deny at the end of the list).
0
 
Frank McCourryV.P. Holland Computers, Inc.Author Commented:
Here  it is.  Iv'e substituted our network addresses for secuity reasons.  It's pretty straight forward.  none of the leading deny statement contain any of our network addreses.

remark ***Denys for abuse***
 deny   ip 216.207.3.136 0.0.0.7 any
 deny   ip host 209.196.17.45 any
 deny   ip host 219.154.96.125 any
 deny   ip host 65.91.77.12 any
 deny   ip host 220.162.244.78 any
 deny   ip host 198.78.216.124 any
 deny   ip 210.124.184.0 0.0.0.255 any
 remark ***Routers***
 permit ip any host xxx.xxx.xxx.2
 permit ip any host xxx.xxx.xxx.3
 permit ip any host xxx.xxx.xxx.4
 permit ip any host xxx.xxx.xxx.5
 permit ip any host xxx.xxx.xxx.6
 permit ip any host xxx.xxx.xxx.7
 permit ip any host xxx.xxx.xxx.8
 permit ip any host xxx.xxx.xxx.9
 permit ip any host xxx.xxx.xxx.16
 remark ***FTP***
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq ftp
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq ftp-data
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq ftp
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq ftp-data
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq ftp
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq ftp-data
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq ftp
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq ftp-data
 remark ***email***
 permit tcp any host xxx.xxx.xxx.131 eq 366
 permit tcp any host xxx.xxx.xxx.131 eq 587
 permit tcp any host xxx.xxx.xxx.131 eq pop3
 permit tcp any host xxx.xxx.xxx.131 eq 995
 permit tcp any host xxx.xxx.xxx.131 eq smtp
 permit tcp any host xxx.xxx.xxx.132 eq 366
 permit tcp any host xxx.xxx.xxx.132 eq 587
 permit tcp any host xxx.xxx.xxx.132 eq pop3
 permit tcp any host xxx.xxx.xxx.132 eq 995
 permit tcp any host xxx.xxx.xxx.132 eq smtp
 permit tcp any host xxx.xxx.xxx.135 eq 366
 permit tcp any host xxx.xxx.xxx.135 eq 587
 permit tcp any host xxx.xxx.xxx.135 eq pop3
 permit tcp any host xxx.xxx.xxx.135 eq 995
 permit tcp any host xxx.xxx.xxx.135 eq smtp
 remark ***monitor***
 permit udp any host xxx.xxx.xxx.128 eq syslog
 permit tcp any host xxx.xxx.xxx.122 eq 82
 remark ***DNS***
 permit udp any host xxx.xxx.xxx.104 eq domain
 permit udp any host xxx.xxx.xxx.105 eq domain
 permit tcp any host xxx.xxx.xxx.104 eq domain
 permit tcp any host xxx.xxx.xxx.105 eq domain
 remark ***WEB***
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq www
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq www
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq www
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq www
 remark ***NovaStor***
 permit tcp any host xxx.xxx.xxx.125 eq 308
 remark ***Secure Web***
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq 443
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq 443
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq 443
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq 443
 remark ***SQL***
 permit tcp any host xxx.xxx.xxx.121 eq 1433
 permit tcp any host xxx.xxx.xxx.127 eq 1433
 permit tcp any host xxx.xxx.xxx.143 eq 1433
 permit tcp any host xxx.xxx.xxx.153 eq 1433
 permit tcp any host xxx.xxx.xxx.160 eq 1433
 remark ***Remote Backup Server***
 permit tcp any host xxx.xxx.xxx.125 eq 2774
 permit udp any host xxx.xxx.xxx.125 eq 2774
 permit tcp any host xxx.xxx.xxx.125 range 1024 2048
 permit udp any host xxx.xxx.xxx.125 range 1024 2048
 remark ***Video Streaming***
 permit tcp any host xxx.xxx.xxx.100 eq 1755
 permit udp any host xxx.xxx.xxx.100 eq 1755
 permit tcp any host xxx.xxx.xxx.100 eq 554
 permit udp any host xxx.xxx.xxx.100 eq 5005
 remark ***MySQL***
 permit tcp any host xxx.xxx.xxx.102 eq 3306
 remark ***Terminal Services***
 permit tcp any host xxx.xxx.xxx.131 eq 3389
 permit tcp any host xxx.xxx.xxx.150 eq 3389
 permit tcp any host xxx.xxx.xxx.151 eq 3389
 permit tcp any host xxx.xxx.xxx.160 eq 3389
 remark ***Cameras***
 permit tcp any host xxx.xxx.xxx.1 eq 5120
 permit udp any host xxx.xxx.xxx.1 eq 5120
 permit udp any host xxx.xxx.xxx.51 eq 5001
 permit udp any host xxx.xxx.xxx.51 eq 5002
 permit udp any host xxx.xxx.xxx.51 eq 5003
 permit tcp any host xxx.xxx.xxx.51 eq 5001
 permit tcp any host xxx.xxx.xxx.51 eq 5002
 permit tcp any host xxx.xxx.xxx.51 eq 5003
 remark ***ICMP***
 permit icmp any any
 remark ***Reflexive Evaluate***
 evaluate tcptraffic
0
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

 
JFrederick29Commented:
Access-list looks fine.  Do you have corresponding NAT entries or a 1-1 static NAT for this host?
0
 
mgonulluCommented:
I know maybe it will seem naive, but what about using an excel to write the port numbers and then convert it to csv then import the commands as text in the IOS (load configuration)
0
 
Frank McCourryV.P. Holland Computers, Inc.Author Commented:
JFrederick29: All of our addresses are public (shoulda said that) so there is no NAT used.
ampranti: Checking th logs does not indicate that there was anything denied.  Perhaps my software is not listening properly?

The software I am using initiates a connection on port 2774 then uses ports 1024 through 2048 for data transfer.  Kinda like a PASVFTP connection.   I would assume that just opening the ports would do the trick, but it appears that I may have to setup another reflexive list? Someone correct me if I am wrong, Please!  

I am assuming that both of you concur that my permit statemnet below should work?
 permit tcp any host xxx.xxx.xxx.125 range 1024 2048
 permit udp any host xxx.xxx.xxx.125 range 1024 2048
0
 
Frank McCourryV.P. Holland Computers, Inc.Author Commented:
mgonullu: The only problem is that if I need to make changes to this list, which I do on a regular basis, it takes forever to load.  It is also processor intensive to parse a list that large, something I realy wnat to avoid.
0
 
Don JohnstonInstructorCommented:
You could use the gt (greater than) lt (less than) function


permit tcp any xxx.xxx.xxx.xxx gt 1024
deny tcp any xxx.xxx.xxx.xxx gt 2048

Open in new window

0
 
amprantiCommented:
ACL statement looks ok

Just a new idea:

ip inspect name myname ftp
int <outside>
    ip inspect myname in
0
 
Frank McCourryV.P. Holland Computers, Inc.Author Commented:
I found the problem.  The Software vendor failed to specify that there are additional ports to be opened.  I've been chasing a ghost.  However, I am awarding points because ampranti gave me a diagnostic that helped me find this error.  mgonullu gets 50 points because of the excellent resource link and confirmation that I am indeed not crazy, though some would argue....

Thanks guys!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.