Mohammed Basheer
asked on
Deny UNC path browsing
Hi
Is there a way to deny UNC path folder browsing at router level? My router is cisco 2801. My objective is to deny users of this network browsing unc network paths. I dont want to reconfigure any users systems.
Thanks for any helpful comment.
Regards
Is there a way to deny UNC path folder browsing at router level? My router is cisco 2801. My objective is to deny users of this network browsing unc network paths. I dont want to reconfigure any users systems.
Thanks for any helpful comment.
Regards
You can just deny source/destination IP:PORT on Routers. UNC Paths like \\server\\folder1\folder2 are only attributes of NTFS security in Windows and NFS at Linux.
ASKER
Thanks for that info
would u pls tell me What port to be closed and syntax of the command?
Thanks again
would u pls tell me What port to be closed and syntax of the command?
Thanks again
The port for windows file sharing is tcp 445 and for Linux NFS you can set it on /etc/sysconfig/nfs file.
lets suppose you have your LAN at fa0/0 with config 192.168.0.0/24 and your share server has The Ip address 192.168.1.2 and it located in one another interface of the router.
If you want to prevent file share for host 192.168.0.100 for example the sintax will be:
In config mode: router(confkig)#access-lis t 100 permit tcp host 192.168.0.100 gt 1023 host 192.168.0.100 eq 445
on interface fa0/0 config
router(config)#interface fa0/0
router(config-if)#ip access-group 100 in
If it is not clear please send me your config so i can give you the exact config
If you want to prevent file share for host 192.168.0.100 for example the sintax will be:
In config mode: router(confkig)#access-lis
on interface fa0/0 config
router(config)#interface fa0/0
router(config-if)#ip access-group 100 in
If it is not clear please send me your config so i can give you the exact config
ASKER
rxchango, thanks for your reply.
My lan interface is fe0/0 (192.168.4.0), wan interface is fe0/1.
I want to allow users brows the UNC inside their network, but deny go out of the network. This is my target. The idea is, users can reach upto the head office and while they browse the unc and copying huge files will kill the bandwidth. I want to avoid this situation.
The above configuration script you send stil applicable for me?
I appreciate your help
My lan interface is fe0/0 (192.168.4.0), wan interface is fe0/1.
I want to allow users brows the UNC inside their network, but deny go out of the network. This is my target. The idea is, users can reach upto the head office and while they browse the unc and copying huge files will kill the bandwidth. I want to avoid this situation.
The above configuration script you send stil applicable for me?
I appreciate your help
Here is your configuration:
Router(config)#access-list 111 deny tcp 192.168.4.0 0.0.0.255 gt 1023 any eq 445
Router(config)#access-list 111 permit ip any any
On interface fa0/0
router(config)#interface fa0/0
router(config-if)#ip access-group 111 in
This will deny LAN 192.168.4.0 to for file browsing out of their network.
remember do not save the configuration without testing it, if there is a problem you just restart the router. If everything is ok after the configuration change than save it
Hope it helps
Router(config)#access-list
Router(config)#access-list
On interface fa0/0
router(config)#interface fa0/0
router(config-if)#ip access-group 111 in
This will deny LAN 192.168.4.0 to for file browsing out of their network.
remember do not save the configuration without testing it, if there is a problem you just restart the router. If everything is ok after the configuration change than save it
Hope it helps
ASKER
Thanks for the configuration, i will test it and get back you.
ASKER
whats the 'gt 1023' in the above configuration?
it means the source port greater than 1023
ASKER
Thanks for that, please let me know why that should be added? cannot be specifically block the 445 port? sorry for my ignorance
You need to block the destination not the source. The source is any eq 445. The source ports are the ports used from application to establish a connection and by default they are greater than 1023. so for example one of your file sharing connection might be:
192.168.4.30:1025 <----> x.x.x.x:445
192.168.4.30:1025 <----> x.x.x.x:445
Sorry the destination is "any eq 445"
ASKER
my ip address on interface is as follows:192.168.4.1 255.255.255.0, so should i change the subnet in the access list also? or keep 0.0.0.255?
Just copy paste the configuration I send you
ASKER
Thank u, i will update you once i apply this.
ASKER
Hi,
I have done same as you instructed. Still the users could browse UNC path outside of the network. I enter \\<outside ip of my file server> in the start>Run prompt, it still opens the password prompt and the folders.
I have not saved the config. what i am missing?
I have done same as you instructed. Still the users could browse UNC path outside of the network. I enter \\<outside ip of my file server> in the start>Run prompt, it still opens the password prompt and the folders.
I have not saved the config. what i am missing?
can you post the configuration of your router, just run show running-config and copy paste the config.
Remove the passwords from the config so anyone on this forum can see your private info. And please what IP address is your file server?
Remove the passwords from the config so anyone on this forum can see your private info. And please what IP address is your file server?
ASKER
Thanks. Here is the code:
Building configuration...
Current configuration : 2197 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xxxxxxxxx
!
boot-start-marker
boot system flash c2801-advipservicesk9-mz.124-15.T.bin
boot-end-marker
!
!
no aaa new-model
memory-size iomem 25
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.9.2 192.168.9.20
ip dhcp excluded-address 192.168.9.200 192.168.9.230
!
ip dhcp pool mypool
network 192.168.9.0 255.255.255.0
default-router 192.168.9.1
domain-name xxxxxxxxxxxx
dns-server 192.168.200.2
lease infinite
!
!
!
multilink bundle-name authenticated
!
!
voice-card 0
!
!
!
!
interface FastEthernet0/0
ip address 192.168.9.1 255.255.255.0
ip access-group 111 in
ip tcp adjust-mss 1300
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.9
encapsulation dot1Q 9
ip address 10.11.12.6 255.255.255.252
!
interface ATM0/3/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface Dialer0
ip address negotiated
encapsulation ppp
dialer pool 1
ppp authentication pap callin
ppp chap refuse
ppp pap sent-username
!
router eigrp 55
network 10.11.12.4 0.0.0.3
network 192.168.9.0
auto-summary
!
ip route 0.0.0.0 0.0.0.0 Dialer0 190
!
!
no ip http server
no ip http secure-server
!
access-list 111 deny tcp 192.168.9.0 0.0.0.255 gt 1023 any eq 445
access-list 111 permit ip any any
snmp-server community public RO
snmp-server enable traps tty
!
!
control-plane
!
!
line con 0
logging synchronous
login local
transport preferred none
line aux 0
line vty 0 4
logging synchronous
login local
transport preferred none
!
scheduler allocate 20000 1000
!
webvpn cef
end
Ok change the first line of the access-list to:
first delete the access-list
on router(config)#no access-list 111
router(config)access-list 111 deny tcp 192.168.9.0 0.0.0.255 any eq 445
router(config)access-list 111 permit ip any any
And please tell me in what network is located your FIle Server
first delete the access-list
on router(config)#no access-list 111
router(config)access-list 111 deny tcp 192.168.9.0 0.0.0.255 any eq 445
router(config)access-list 111 permit ip any any
And please tell me in what network is located your FIle Server
ASKER
file server is at 192.168.200.0
Ok Than Make the change I gave you just copy paste the config. All the other config looks fine
ASKER
no luck, still the same! the user can access the folders even after the configuration you given applied. Do i need to close the port 135 also? i have read that somewhere. if i close this, what r the consequences? how do i block that also?
Thanks
Thanks
Just add another row int the access-list 111 like below:
on router(config)#no access-list 111
router(config)access-list 111 deny tcp 192.168.9.0 0.0.0.255 any eq 445
router(config)access-list 111 deny tcp 192.168.9.0 0.0.0.255 any eq 138
router(config)access-list 111 permit ip any any
on router(config)#no access-list 111
router(config)access-list 111 deny tcp 192.168.9.0 0.0.0.255 any eq 445
router(config)access-list 111 deny tcp 192.168.9.0 0.0.0.255 any eq 138
router(config)access-list 111 permit ip any any
sorry
on router(config)#no access-list 111
router(config)access-list 111 deny tcp 192.168.9.0 0.0.0.255 any eq 445
router(config)access-list 111 deny tcp 192.168.9.0 0.0.0.255 any eq 135
router(config)access-list 111 deny udp 192.168.9.0 0.0.0.255 any eq 135
router(config)access-list 111 permit ip any any
on router(config)#no access-list 111
router(config)access-list 111 deny tcp 192.168.9.0 0.0.0.255 any eq 445
router(config)access-list 111 deny tcp 192.168.9.0 0.0.0.255 any eq 135
router(config)access-list 111 deny udp 192.168.9.0 0.0.0.255 any eq 135
router(config)access-list 111 permit ip any any
ASKER
Still no luck.
On the internal interface the accesslist entry should be 'in' or 'out'? it is in now.
Thanks
On the internal interface the accesslist entry should be 'in' or 'out'? it is in now.
Thanks
Can you please type on the router
sh ip route 192.168.200.2
and send me the output
sh ip route 192.168.200.2
and send me the output
ASKER
show ip route 192.168.100.2
Routing entry for 192.168.200.0/24
Known via "eigrp 55", distance 170, metric 30720, type external
Redistributing via eigrp 55
Last update from 10.11.12.5 on FastEthernet0/1.9, 1d22h ago
Routing Descriptor Blocks:
* 10.11.12.5, from 10.11.12.5, 1d22h ago, via FastEthernet0/1.9
Route metric is 30720, traffic share count is 1
Total delay is 200 microseconds, minimum bandwidth is 100000 Kbit
Reliability 247/255, minimum MTU 1500 bytes
Loading 1/255, Hops 1
Routing entry for 192.168.200.0/24
Known via "eigrp 55", distance 170, metric 30720, type external
Redistributing via eigrp 55
Last update from 10.11.12.5 on FastEthernet0/1.9, 1d22h ago
Routing Descriptor Blocks:
* 10.11.12.5, from 10.11.12.5, 1d22h ago, via FastEthernet0/1.9
Route metric is 30720, traffic share count is 1
Total delay is 200 microseconds, minimum bandwidth is 100000 Kbit
Reliability 247/255, minimum MTU 1500 bytes
Loading 1/255, Hops 1
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes!
That did the trick.
Thanks for your time and effort. I would like to know, which of the above 4 lines actually in action now?
Thanks again
That did the trick.
Thanks for your time and effort. I would like to know, which of the above 4 lines actually in action now?
Thanks again
you can see which one has matches with "sh access-list 111" command
ASKER
These are the matches:
10 deny tcp 192.168.9.0 0.0.0.255 any eq 445 (5 matches)
20 deny tcp 192.168.9.0 0.0.0.255 eq 445 any
30 deny tcp 192.168.9.0 0.0.0.255 any eq 139 (16 matches)
40 deny tcp 192.168.9.0 0.0.0.255 eq 139 any
50 permit ip any any (38463 matches)
It means, the second and 4th lines i can safely remove?
10 deny tcp 192.168.9.0 0.0.0.255 any eq 445 (5 matches)
20 deny tcp 192.168.9.0 0.0.0.255 eq 445 any
30 deny tcp 192.168.9.0 0.0.0.255 any eq 139 (16 matches)
40 deny tcp 192.168.9.0 0.0.0.255 eq 139 any
50 permit ip any any (38463 matches)
It means, the second and 4th lines i can safely remove?
ti means that this two rows make the trick. It is needed to block two ports 139 and 445
10 deny tcp 192.168.9.0 0.0.0.255 any eq 445 (5 matches)
10 deny tcp 192.168.9.0 0.0.0.255 any eq 139 (5 matches)
10 deny tcp 192.168.9.0 0.0.0.255 any eq 445 (5 matches)
10 deny tcp 192.168.9.0 0.0.0.255 any eq 139 (5 matches)
ASKER
God bless you, everything is in order now. Thanks for your sincere help..:)
ASKER
Nice support! thanks to EE and rxchango