Link to home
Start Free TrialLog in
Avatar of Mohammed Basheer
Mohammed Basheer

asked on

Deny UNC path browsing

Hi
Is there a way to deny UNC path folder browsing at router level? My router is cisco 2801. My objective is to deny users of this network browsing unc network paths. I dont want to reconfigure any users systems.

Thanks for any helpful comment.

Regards

Avatar of rxhango
rxhango

You can just deny source/destination IP:PORT on Routers. UNC Paths like \\server\\folder1\folder2 are only attributes of NTFS security in Windows and NFS at Linux.
Avatar of Mohammed Basheer

ASKER

Thanks for that info
would u pls tell me What port to be closed and syntax of the command?
Thanks again
The port for windows file sharing is tcp 445 and for Linux NFS you can set it on /etc/sysconfig/nfs file.
lets suppose you have your LAN at fa0/0 with config  192.168.0.0/24 and your share server has The Ip address 192.168.1.2 and it located in one another interface of the router.

If you want to prevent file share for host 192.168.0.100 for example the sintax will be:

In config mode: router(confkig)#access-list 100 permit tcp host 192.168.0.100 gt 1023 host 192.168.0.100 eq 445

on interface fa0/0 config
router(config)#interface fa0/0
 router(config-if)#ip access-group 100 in

If it is not clear please send me your config so i can give you the exact config
rxchango, thanks for your reply.
My lan interface is fe0/0 (192.168.4.0), wan interface is fe0/1.
I want to allow users brows the UNC inside their network, but deny go out of the network. This is my target. The idea is, users can reach upto the head office and while they browse the unc and copying huge files will kill the bandwidth. I want to avoid this situation.

The above configuration script you send stil applicable for me?

I appreciate your help
Here is your configuration:

Router(config)#access-list 111 deny tcp 192.168.4.0 0.0.0.255 gt 1023 any eq 445
Router(config)#access-list 111 permit ip any any


On interface fa0/0

router(config)#interface fa0/0
router(config-if)#ip access-group 111 in

This will deny LAN 192.168.4.0 to  for file browsing out of their network.


remember do not save the configuration without testing it, if there is a problem you just restart the router. If everything is ok after the configuration change than save it

Hope it helps

Thanks for the configuration, i will test it and get back you.
whats the 'gt 1023' in the above configuration?
it means the source port greater than 1023
Thanks for that, please let me know why that should be added? cannot be specifically block the 445 port? sorry for my ignorance
You need to block the destination not the source. The source is any eq 445. The source ports are the ports used from application to establish a connection and by default they are greater than 1023. so for example one of your file sharing connection might be:

192.168.4.30:1025 <----> x.x.x.x:445
Sorry the destination is "any eq 445"
my ip address on interface is as follows:192.168.4.1 255.255.255.0, so should i change the subnet in the access list also? or keep 0.0.0.255?
Just copy paste the configuration I send you
Thank u, i will update you once i apply this.
Hi,
I have done same as you instructed. Still the users could browse UNC path outside of the network. I enter \\<outside ip of my file server> in the start>Run prompt, it still opens the password prompt and the folders.

I have not saved the config. what i am missing?

can you post the configuration of your router, just run show running-config and copy paste the config.
Remove the passwords from the config so anyone on this forum can see your private info. And please what IP address is your file server?
Thanks. Here is the code:

Building configuration...

Current configuration : 2197 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xxxxxxxxx
!
boot-start-marker
boot system flash c2801-advipservicesk9-mz.124-15.T.bin
boot-end-marker
!
!
no aaa new-model
memory-size iomem 25
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.9.2 192.168.9.20
ip dhcp excluded-address 192.168.9.200 192.168.9.230
!
ip dhcp pool mypool
   network 192.168.9.0 255.255.255.0
   default-router 192.168.9.1 
   domain-name xxxxxxxxxxxx
   dns-server 192.168.200.2 
   lease infinite
!
!
!
multilink bundle-name authenticated
!
!
voice-card 0
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.9.1 255.255.255.0
 ip access-group 111 in
 ip tcp adjust-mss 1300
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/1.9
 encapsulation dot1Q 9
 ip address 10.11.12.6 255.255.255.252
!
interface ATM0/3/0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto 
 pvc 0/35 
  pppoe-client dial-pool-number 1
 !
!
interface Dialer0
 ip address negotiated
 encapsulation ppp
 dialer pool 1
 ppp authentication pap callin
 ppp chap refuse
 ppp pap sent-username 
!
router eigrp 55
 network 10.11.12.4 0.0.0.3
 network 192.168.9.0
 auto-summary
!
ip route 0.0.0.0 0.0.0.0 Dialer0 190
!
!
no ip http server
no ip http secure-server
!
access-list 111 deny   tcp 192.168.9.0 0.0.0.255 gt 1023 any eq 445
access-list 111 permit ip any any
snmp-server community public RO
snmp-server enable traps tty
!
!
control-plane
!
!
line con 0
 logging synchronous
 login local
transport preferred none
line aux 0
line vty 0 4
 logging synchronous
 login local
 transport preferred none
!
scheduler allocate 20000 1000

!
webvpn cef
end

Open in new window

Ok change the first line of the access-list to:

first delete the access-list
on router(config)#no access-list 111

router(config)access-list 111 deny   tcp 192.168.9.0 0.0.0.255  any eq 445
router(config)access-list 111 permit ip any any

And please tell me in what network is located  your FIle Server


file server is at 192.168.200.0
Ok Than Make the change I gave you just copy paste the config. All the other config looks fine
no luck, still the same! the user can access the folders even after the configuration you given applied. Do i need to close the port 135 also? i have read that somewhere. if i close this, what r the consequences? how do i block that also?

Thanks
Just add another row int the access-list 111 like below:

on router(config)#no access-list 111

router(config)access-list 111 deny   tcp 192.168.9.0 0.0.0.255  any eq 445
router(config)access-list 111 deny   tcp 192.168.9.0 0.0.0.255  any eq 138
router(config)access-list 111 permit ip any any
sorry


on router(config)#no access-list 111

router(config)access-list 111 deny   tcp 192.168.9.0 0.0.0.255  any eq 445
router(config)access-list 111 deny   tcp 192.168.9.0 0.0.0.255  any eq 135
router(config)access-list 111 deny   udp 192.168.9.0 0.0.0.255  any eq 135
router(config)access-list 111 permit ip any any
Still no luck.
On the internal interface the accesslist entry should be 'in' or 'out'? it is in now.

Thanks
Can you please type on the router

sh ip route 192.168.200.2

and send me the output
show ip route 192.168.100.2
Routing entry for 192.168.200.0/24
  Known via "eigrp 55", distance 170, metric 30720, type external
  Redistributing via eigrp 55
  Last update from 10.11.12.5 on FastEthernet0/1.9, 1d22h ago
  Routing Descriptor Blocks:
  * 10.11.12.5, from 10.11.12.5, 1d22h ago, via FastEthernet0/1.9
      Route metric is 30720, traffic share count is 1
      Total delay is 200 microseconds, minimum bandwidth is 100000 Kbit
      Reliability 247/255, minimum MTU 1500 bytes
      Loading 1/255, Hops 1
ASKER CERTIFIED SOLUTION
Avatar of rxhango
rxhango

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Yes!
That did the trick.
Thanks for your time and effort. I would like to know, which of the above 4 lines actually in action now?

Thanks again
you can see which one has matches with "sh access-list 111" command
These are the matches:
    10 deny tcp 192.168.9.0 0.0.0.255 any eq 445 (5 matches)
    20 deny tcp 192.168.9.0 0.0.0.255 eq 445 any
    30 deny tcp 192.168.9.0 0.0.0.255 any eq 139 (16 matches)
    40 deny tcp 192.168.9.0 0.0.0.255 eq 139 any
    50 permit ip any any (38463 matches)

It means, the second and 4th lines i can safely remove?
ti means that this two rows make the trick. It is needed to block two ports 139 and 445

    10 deny tcp 192.168.9.0 0.0.0.255 any eq 445 (5 matches)
       10 deny tcp 192.168.9.0 0.0.0.255 any eq 139 (5 matches)

God bless you, everything is in order now. Thanks for your sincere help..:)
Nice support! thanks to EE and rxchango