Solved

Cisco ACL allow port range

Posted on 2008-10-07
11
1,070 Views
Last Modified: 2012-05-05
We have a Cisco 2600 that we use ACL's to control inbound access.  I have a need to open 1000 ports (a range from 1024 to 2048) to one IP address.  Rather than add over 1,000 lines to my access list, is there a way I can define this range?
I tried:
permit tcp any xxx.xxx.xxx.xxx range 1024 2048

That does not seem to work, but I also do not get any errors when entering this command.
0
Comment
Question by:Frank McCourry
  • 4
  • 2
  • 2
  • +2
11 Comments
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
Can you post a "show access-list"?  There may be a "deny" above the permit statement you just added.  If so, remove the deny and add it back in (or leave it out as there is an implicit deny at the end of the list).
0
 
LVL 8

Author Comment

by:Frank McCourry
Comment Utility
Here  it is.  Iv'e substituted our network addresses for secuity reasons.  It's pretty straight forward.  none of the leading deny statement contain any of our network addreses.

remark ***Denys for abuse***
 deny   ip 216.207.3.136 0.0.0.7 any
 deny   ip host 209.196.17.45 any
 deny   ip host 219.154.96.125 any
 deny   ip host 65.91.77.12 any
 deny   ip host 220.162.244.78 any
 deny   ip host 198.78.216.124 any
 deny   ip 210.124.184.0 0.0.0.255 any
 remark ***Routers***
 permit ip any host xxx.xxx.xxx.2
 permit ip any host xxx.xxx.xxx.3
 permit ip any host xxx.xxx.xxx.4
 permit ip any host xxx.xxx.xxx.5
 permit ip any host xxx.xxx.xxx.6
 permit ip any host xxx.xxx.xxx.7
 permit ip any host xxx.xxx.xxx.8
 permit ip any host xxx.xxx.xxx.9
 permit ip any host xxx.xxx.xxx.16
 remark ***FTP***
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq ftp
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq ftp-data
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq ftp
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq ftp-data
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq ftp
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq ftp-data
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq ftp
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq ftp-data
 remark ***email***
 permit tcp any host xxx.xxx.xxx.131 eq 366
 permit tcp any host xxx.xxx.xxx.131 eq 587
 permit tcp any host xxx.xxx.xxx.131 eq pop3
 permit tcp any host xxx.xxx.xxx.131 eq 995
 permit tcp any host xxx.xxx.xxx.131 eq smtp
 permit tcp any host xxx.xxx.xxx.132 eq 366
 permit tcp any host xxx.xxx.xxx.132 eq 587
 permit tcp any host xxx.xxx.xxx.132 eq pop3
 permit tcp any host xxx.xxx.xxx.132 eq 995
 permit tcp any host xxx.xxx.xxx.132 eq smtp
 permit tcp any host xxx.xxx.xxx.135 eq 366
 permit tcp any host xxx.xxx.xxx.135 eq 587
 permit tcp any host xxx.xxx.xxx.135 eq pop3
 permit tcp any host xxx.xxx.xxx.135 eq 995
 permit tcp any host xxx.xxx.xxx.135 eq smtp
 remark ***monitor***
 permit udp any host xxx.xxx.xxx.128 eq syslog
 permit tcp any host xxx.xxx.xxx.122 eq 82
 remark ***DNS***
 permit udp any host xxx.xxx.xxx.104 eq domain
 permit udp any host xxx.xxx.xxx.105 eq domain
 permit tcp any host xxx.xxx.xxx.104 eq domain
 permit tcp any host xxx.xxx.xxx.105 eq domain
 remark ***WEB***
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq www
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq www
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq www
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq www
 remark ***NovaStor***
 permit tcp any host xxx.xxx.xxx.125 eq 308
 remark ***Secure Web***
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq 443
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq 443
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq 443
 permit tcp any xxx.xxx.xxx.0 0.0.0.255 eq 443
 remark ***SQL***
 permit tcp any host xxx.xxx.xxx.121 eq 1433
 permit tcp any host xxx.xxx.xxx.127 eq 1433
 permit tcp any host xxx.xxx.xxx.143 eq 1433
 permit tcp any host xxx.xxx.xxx.153 eq 1433
 permit tcp any host xxx.xxx.xxx.160 eq 1433
 remark ***Remote Backup Server***
 permit tcp any host xxx.xxx.xxx.125 eq 2774
 permit udp any host xxx.xxx.xxx.125 eq 2774
 permit tcp any host xxx.xxx.xxx.125 range 1024 2048
 permit udp any host xxx.xxx.xxx.125 range 1024 2048
 remark ***Video Streaming***
 permit tcp any host xxx.xxx.xxx.100 eq 1755
 permit udp any host xxx.xxx.xxx.100 eq 1755
 permit tcp any host xxx.xxx.xxx.100 eq 554
 permit udp any host xxx.xxx.xxx.100 eq 5005
 remark ***MySQL***
 permit tcp any host xxx.xxx.xxx.102 eq 3306
 remark ***Terminal Services***
 permit tcp any host xxx.xxx.xxx.131 eq 3389
 permit tcp any host xxx.xxx.xxx.150 eq 3389
 permit tcp any host xxx.xxx.xxx.151 eq 3389
 permit tcp any host xxx.xxx.xxx.160 eq 3389
 remark ***Cameras***
 permit tcp any host xxx.xxx.xxx.1 eq 5120
 permit udp any host xxx.xxx.xxx.1 eq 5120
 permit udp any host xxx.xxx.xxx.51 eq 5001
 permit udp any host xxx.xxx.xxx.51 eq 5002
 permit udp any host xxx.xxx.xxx.51 eq 5003
 permit tcp any host xxx.xxx.xxx.51 eq 5001
 permit tcp any host xxx.xxx.xxx.51 eq 5002
 permit tcp any host xxx.xxx.xxx.51 eq 5003
 remark ***ICMP***
 permit icmp any any
 remark ***Reflexive Evaluate***
 evaluate tcptraffic
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
Access-list looks fine.  Do you have corresponding NAT entries or a 1-1 static NAT for this host?
0
 
LVL 10

Accepted Solution

by:
ampranti earned 200 total points
Comment Utility
At the bottom of the list add a statement

deny ip any any log

then initiate a connection in that port range, and check why is blocked.
0
 
LVL 9

Expert Comment

by:mgonullu
Comment Utility
I know maybe it will seem naive, but what about using an excel to write the port numbers and then convert it to csv then import the commands as text in the IOS (load configuration)
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 8

Author Comment

by:Frank McCourry
Comment Utility
JFrederick29: All of our addresses are public (shoulda said that) so there is no NAT used.
ampranti: Checking th logs does not indicate that there was anything denied.  Perhaps my software is not listening properly?

The software I am using initiates a connection on port 2774 then uses ports 1024 through 2048 for data transfer.  Kinda like a PASVFTP connection.   I would assume that just opening the ports would do the trick, but it appears that I may have to setup another reflexive list? Someone correct me if I am wrong, Please!  

I am assuming that both of you concur that my permit statemnet below should work?
 permit tcp any host xxx.xxx.xxx.125 range 1024 2048
 permit udp any host xxx.xxx.xxx.125 range 1024 2048
0
 
LVL 8

Author Comment

by:Frank McCourry
Comment Utility
mgonullu: The only problem is that if I need to make changes to this list, which I do on a regular basis, it takes forever to load.  It is also processor intensive to parse a list that large, something I realy wnat to avoid.
0
 
LVL 50

Expert Comment

by:Don Johnston
Comment Utility
You could use the gt (greater than) lt (less than) function


permit tcp any xxx.xxx.xxx.xxx gt 1024

deny tcp any xxx.xxx.xxx.xxx gt 2048

Open in new window

0
 
LVL 10

Expert Comment

by:ampranti
Comment Utility
ACL statement looks ok

Just a new idea:

ip inspect name myname ftp
int <outside>
    ip inspect myname in
0
 
LVL 9

Assisted Solution

by:mgonullu
mgonullu earned 50 total points
Comment Utility
0
 
LVL 8

Author Closing Comment

by:Frank McCourry
Comment Utility
I found the problem.  The Software vendor failed to specify that there are additional ports to be opened.  I've been chasing a ghost.  However, I am awarding points because ampranti gave me a diagnostic that helped me find this error.  mgonullu gets 50 points because of the excellent resource link and confirmation that I am indeed not crazy, though some would argue....

Thanks guys!
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now