Solved

Cisco ACL allow port range

Posted on 2008-10-07
11
1,079 Views
Last Modified: 2012-05-05
We have a Cisco 2600 that we use ACL's to control inbound access.  I have a need to open 1000 ports (a range from 1024 to 2048) to one IP address.  Rather than add over 1,000 lines to my access list, is there a way I can define this range?
I tried:
permit tcp any xxx.xxx.xxx.xxx range 1024 2048

That does not seem to work, but I also do not get any errors when entering this command.
0
Comment
Question by:Frank McCourry
  • 4
  • 2
  • 2
  • +2
11 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22662806
Can you post a "show access-list"?  There may be a "deny" above the permit statement you just added.  If so, remove the deny and add it back in (or leave it out as there is an implicit deny at the end of the list).
0
 
LVL 9

Author Comment

by:Frank McCourry
ID: 22662863
Here  it is.  Iv'e substituted our network addresses for secuity reasons.  It's pretty straight forward.  none of the leading deny statement contain any of our network addreses.

remark ***Denys for abuse***
 deny   ip 216.207.3.136 0.0.0.7 any
 deny   ip host 209.196.17.45 any
 deny   ip host 219.154.96.125 any
 deny   ip host 65.91.77.12 any
 deny   ip host 220.162.244.78 any
 deny   ip host 198.78.216.124 any
 deny   ip 210.124.184.0 0.0.0.255 any
 remark ***Routers***
 permit ip any host xxx.xxx.xxx.2
 permit ip any host xxx.xxx.xxx.3
 permit ip any host xxx.xxx.xxx.4
 permit ip any host xxx.xxx.xxx.5
 permit ip any host xxx.xxx.xxx.6
 permit ip any host xxx.xxx.xxx.7
 permit ip any host xxx.xxx.xxx.8
 permit ip any host xxx.xxx.xxx.9
 permit ip any host xxx.xxx.xxx.16
 remark ***FTP***
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq ftp
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq ftp-data
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq ftp
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq ftp-data
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq ftp
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq ftp-data
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq ftp
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq ftp-data
 remark ***email***
 permit tcp any host xxx.xxx.xxx.131 eq 366
 permit tcp any host xxx.xxx.xxx.131 eq 587
 permit tcp any host xxx.xxx.xxx.131 eq pop3
 permit tcp any host xxx.xxx.xxx.131 eq 995
 permit tcp any host xxx.xxx.xxx.131 eq smtp
 permit tcp any host xxx.xxx.xxx.132 eq 366
 permit tcp any host xxx.xxx.xxx.132 eq 587
 permit tcp any host xxx.xxx.xxx.132 eq pop3
 permit tcp any host xxx.xxx.xxx.132 eq 995
 permit tcp any host xxx.xxx.xxx.132 eq smtp
 permit tcp any host xxx.xxx.xxx.135 eq 366
 permit tcp any host xxx.xxx.xxx.135 eq 587
 permit tcp any host xxx.xxx.xxx.135 eq pop3
 permit tcp any host xxx.xxx.xxx.135 eq 995
 permit tcp any host xxx.xxx.xxx.135 eq smtp
 remark ***monitor***
 permit udp any host xxx.xxx.xxx.128 eq syslog
 permit tcp any host xxx.xxx.xxx.122 eq 82
 remark ***DNS***
 permit udp any host xxx.xxx.xxx.104 eq domain
 permit udp any host xxx.xxx.xxx.105 eq domain
 permit tcp any host xxx.xxx.xxx.104 eq domain
 permit tcp any host xxx.xxx.xxx.105 eq domain
 remark ***WEB***
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq www
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq www
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq www
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq www
 remark ***NovaStor***
 permit tcp any host xxx.xxx.xxx.125 eq 308
 remark ***Secure Web***
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq 443
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq 443
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq 443
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq 443
 remark ***SQL***
 permit tcp any host xxx.xxx.xxx.121 eq 1433
 permit tcp any host xxx.xxx.xxx.127 eq 1433
 permit tcp any host xxx.xxx.xxx.143 eq 1433
 permit tcp any host xxx.xxx.xxx.153 eq 1433
 permit tcp any host xxx.xxx.xxx.160 eq 1433
 remark ***Remote Backup Server***
 permit tcp any host xxx.xxx.xxx.125 eq 2774
 permit udp any host xxx.xxx.xxx.125 eq 2774
 permit tcp any host xxx.xxx.xxx.125 range 1024 2048
 permit udp any host xxx.xxx.xxx.125 range 1024 2048
 remark ***Video Streaming***
 permit tcp any host xxx.xxx.xxx.100 eq 1755
 permit udp any host xxx.xxx.xxx.100 eq 1755
 permit tcp any host xxx.xxx.xxx.100 eq 554
 permit udp any host xxx.xxx.xxx.100 eq 5005
 remark ***MySQL***
 permit tcp any host xxx.xxx.xxx.102 eq 3306
 remark ***Terminal Services***
 permit tcp any host xxx.xxx.xxx.131 eq 3389
 permit tcp any host xxx.xxx.xxx.150 eq 3389
 permit tcp any host xxx.xxx.xxx.151 eq 3389
 permit tcp any host xxx.xxx.xxx.160 eq 3389
 remark ***Cameras***
 permit tcp any host xxx.xxx.xxx.1 eq 5120
 permit udp any host xxx.xxx.xxx.1 eq 5120
 permit udp any host xxx.xxx.xxx.51 eq 5001
 permit udp any host xxx.xxx.xxx.51 eq 5002
 permit udp any host xxx.xxx.xxx.51 eq 5003
 permit tcp any host xxx.xxx.xxx.51 eq 5001
 permit tcp any host xxx.xxx.xxx.51 eq 5002
 permit tcp any host xxx.xxx.xxx.51 eq 5003
 remark ***ICMP***
 permit icmp any any
 remark ***Reflexive Evaluate***
 evaluate tcptraffic
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22662882
Access-list looks fine.  Do you have corresponding NAT entries or a 1-1 static NAT for this host?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 10

Accepted Solution

by:
ampranti earned 200 total points
ID: 22662924
At the bottom of the list add a statement

deny ip any any log

then initiate a connection in that port range, and check why is blocked.
0
 
LVL 9

Expert Comment

by:mgonullu
ID: 22662952
I know maybe it will seem naive, but what about using an excel to write the port numbers and then convert it to csv then import the commands as text in the IOS (load configuration)
0
 
LVL 9

Author Comment

by:Frank McCourry
ID: 22663110
JFrederick29: All of our addresses are public (shoulda said that) so there is no NAT used.
ampranti: Checking th logs does not indicate that there was anything denied.  Perhaps my software is not listening properly?

The software I am using initiates a connection on port 2774 then uses ports 1024 through 2048 for data transfer.  Kinda like a PASVFTP connection.   I would assume that just opening the ports would do the trick, but it appears that I may have to setup another reflexive list? Someone correct me if I am wrong, Please!  

I am assuming that both of you concur that my permit statemnet below should work?
 permit tcp any host xxx.xxx.xxx.125 range 1024 2048
 permit udp any host xxx.xxx.xxx.125 range 1024 2048
0
 
LVL 9

Author Comment

by:Frank McCourry
ID: 22663132
mgonullu: The only problem is that if I need to make changes to this list, which I do on a regular basis, it takes forever to load.  It is also processor intensive to parse a list that large, something I realy wnat to avoid.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 22663149
You could use the gt (greater than) lt (less than) function


permit tcp any xxx.xxx.xxx.xxx gt 1024
deny tcp any xxx.xxx.xxx.xxx gt 2048

Open in new window

0
 
LVL 10

Expert Comment

by:ampranti
ID: 22663184
ACL statement looks ok

Just a new idea:

ip inspect name myname ftp
int <outside>
    ip inspect myname in
0
 
LVL 9

Assisted Solution

by:mgonullu
mgonullu earned 50 total points
ID: 22663227
0
 
LVL 9

Author Closing Comment

by:Frank McCourry
ID: 31503978
I found the problem.  The Software vendor failed to specify that there are additional ports to be opened.  I've been chasing a ghost.  However, I am awarding points because ampranti gave me a diagnostic that helped me find this error.  mgonullu gets 50 points because of the excellent resource link and confirmation that I am indeed not crazy, though some would argue....

Thanks guys!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
New TWC modem/router breaks network 53 123
Interface VLAN dependencies 6 50
BGP Network restrictions 6 37
DHCP Server 14 88
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question