Deny UNC path browsing

Hi
Is there a way to deny UNC path folder browsing at router level? My router is cisco 2801. My objective is to deny users of this network browsing unc network paths. I dont want to reconfigure any users systems.

Thanks for any helpful comment.

Regards

LVL 5
BasheerptAsked:
Who is Participating?
 
rxhangoConnect With a Mentor Commented:
ok last chance try this config:

router(config)no access-list 111
router(config)access-list 111 deny   tcp 192.168.9.0 0.0.0.255  any eq 445
router(config)access-list 111 deny   tcp 192.168.9.0 0.0.0.255 eq 445 any
router(config)access-list 111 deny   tcp 192.168.9.0 0.0.0.255  any eq 139
router(config)access-list 111 deny   tcp 192.168.9.0 0.0.0.255  eq 139  any
router(config)access-list 111 permit ip any any
0
 
rxhangoCommented:
You can just deny source/destination IP:PORT on Routers. UNC Paths like \\server\\folder1\folder2 are only attributes of NTFS security in Windows and NFS at Linux.
0
 
BasheerptAuthor Commented:
Thanks for that info
would u pls tell me What port to be closed and syntax of the command?
Thanks again
0
Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

 
rxhangoCommented:
The port for windows file sharing is tcp 445 and for Linux NFS you can set it on /etc/sysconfig/nfs file.
0
 
rxhangoCommented:
lets suppose you have your LAN at fa0/0 with config  192.168.0.0/24 and your share server has The Ip address 192.168.1.2 and it located in one another interface of the router.

If you want to prevent file share for host 192.168.0.100 for example the sintax will be:

In config mode: router(confkig)#access-list 100 permit tcp host 192.168.0.100 gt 1023 host 192.168.0.100 eq 445

on interface fa0/0 config
router(config)#interface fa0/0
 router(config-if)#ip access-group 100 in

If it is not clear please send me your config so i can give you the exact config
0
 
BasheerptAuthor Commented:
rxchango, thanks for your reply.
My lan interface is fe0/0 (192.168.4.0), wan interface is fe0/1.
I want to allow users brows the UNC inside their network, but deny go out of the network. This is my target. The idea is, users can reach upto the head office and while they browse the unc and copying huge files will kill the bandwidth. I want to avoid this situation.

The above configuration script you send stil applicable for me?

I appreciate your help
0
 
rxhangoCommented:
Here is your configuration:

Router(config)#access-list 111 deny tcp 192.168.4.0 0.0.0.255 gt 1023 any eq 445
Router(config)#access-list 111 permit ip any any


On interface fa0/0

router(config)#interface fa0/0
router(config-if)#ip access-group 111 in

This will deny LAN 192.168.4.0 to  for file browsing out of their network.


remember do not save the configuration without testing it, if there is a problem you just restart the router. If everything is ok after the configuration change than save it

Hope it helps

0
 
BasheerptAuthor Commented:
Thanks for the configuration, i will test it and get back you.
0
 
BasheerptAuthor Commented:
whats the 'gt 1023' in the above configuration?
0
 
rxhangoCommented:
it means the source port greater than 1023
0
 
BasheerptAuthor Commented:
Thanks for that, please let me know why that should be added? cannot be specifically block the 445 port? sorry for my ignorance
0
 
rxhangoCommented:
You need to block the destination not the source. The source is any eq 445. The source ports are the ports used from application to establish a connection and by default they are greater than 1023. so for example one of your file sharing connection might be:

192.168.4.30:1025 <----> x.x.x.x:445
0
 
rxhangoCommented:
Sorry the destination is "any eq 445"
0
 
BasheerptAuthor Commented:
my ip address on interface is as follows:192.168.4.1 255.255.255.0, so should i change the subnet in the access list also? or keep 0.0.0.255?
0
 
rxhangoCommented:
Just copy paste the configuration I send you
0
 
BasheerptAuthor Commented:
Thank u, i will update you once i apply this.
0
 
BasheerptAuthor Commented:
Hi,
I have done same as you instructed. Still the users could browse UNC path outside of the network. I enter \\<outside ip of my file server> in the start>Run prompt, it still opens the password prompt and the folders.

I have not saved the config. what i am missing?

0
 
rxhangoCommented:
can you post the configuration of your router, just run show running-config and copy paste the config.
Remove the passwords from the config so anyone on this forum can see your private info. And please what IP address is your file server?
0
 
BasheerptAuthor Commented:
Thanks. Here is the code:

Building configuration...

Current configuration : 2197 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xxxxxxxxx
!
boot-start-marker
boot system flash c2801-advipservicesk9-mz.124-15.T.bin
boot-end-marker
!
!
no aaa new-model
memory-size iomem 25
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.9.2 192.168.9.20
ip dhcp excluded-address 192.168.9.200 192.168.9.230
!
ip dhcp pool mypool
   network 192.168.9.0 255.255.255.0
   default-router 192.168.9.1 
   domain-name xxxxxxxxxxxx
   dns-server 192.168.200.2 
   lease infinite
!
!
!
multilink bundle-name authenticated
!
!
voice-card 0
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.9.1 255.255.255.0
 ip access-group 111 in
 ip tcp adjust-mss 1300
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/1.9
 encapsulation dot1Q 9
 ip address 10.11.12.6 255.255.255.252
!
interface ATM0/3/0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto 
 pvc 0/35 
  pppoe-client dial-pool-number 1
 !
!
interface Dialer0
 ip address negotiated
 encapsulation ppp
 dialer pool 1
 ppp authentication pap callin
 ppp chap refuse
 ppp pap sent-username 
!
router eigrp 55
 network 10.11.12.4 0.0.0.3
 network 192.168.9.0
 auto-summary
!
ip route 0.0.0.0 0.0.0.0 Dialer0 190
!
!
no ip http server
no ip http secure-server
!
access-list 111 deny   tcp 192.168.9.0 0.0.0.255 gt 1023 any eq 445
access-list 111 permit ip any any
snmp-server community public RO
snmp-server enable traps tty
!
!
control-plane
!
!
line con 0
 logging synchronous
 login local
transport preferred none
line aux 0
line vty 0 4
 logging synchronous
 login local
 transport preferred none
!
scheduler allocate 20000 1000

!
webvpn cef
end

Open in new window

0
 
rxhangoCommented:
Ok change the first line of the access-list to:

first delete the access-list
on router(config)#no access-list 111

router(config)access-list 111 deny   tcp 192.168.9.0 0.0.0.255  any eq 445
router(config)access-list 111 permit ip any any

And please tell me in what network is located  your FIle Server


0
 
BasheerptAuthor Commented:
file server is at 192.168.200.0
0
 
rxhangoCommented:
Ok Than Make the change I gave you just copy paste the config. All the other config looks fine
0
 
BasheerptAuthor Commented:
no luck, still the same! the user can access the folders even after the configuration you given applied. Do i need to close the port 135 also? i have read that somewhere. if i close this, what r the consequences? how do i block that also?

Thanks
0
 
rxhangoCommented:
Just add another row int the access-list 111 like below:

on router(config)#no access-list 111

router(config)access-list 111 deny   tcp 192.168.9.0 0.0.0.255  any eq 445
router(config)access-list 111 deny   tcp 192.168.9.0 0.0.0.255  any eq 138
router(config)access-list 111 permit ip any any
0
 
rxhangoCommented:
sorry


on router(config)#no access-list 111

router(config)access-list 111 deny   tcp 192.168.9.0 0.0.0.255  any eq 445
router(config)access-list 111 deny   tcp 192.168.9.0 0.0.0.255  any eq 135
router(config)access-list 111 deny   udp 192.168.9.0 0.0.0.255  any eq 135
router(config)access-list 111 permit ip any any
0
 
BasheerptAuthor Commented:
Still no luck.
On the internal interface the accesslist entry should be 'in' or 'out'? it is in now.

Thanks
0
 
rxhangoCommented:
Can you please type on the router

sh ip route 192.168.200.2

and send me the output
0
 
BasheerptAuthor Commented:
show ip route 192.168.100.2
Routing entry for 192.168.200.0/24
  Known via "eigrp 55", distance 170, metric 30720, type external
  Redistributing via eigrp 55
  Last update from 10.11.12.5 on FastEthernet0/1.9, 1d22h ago
  Routing Descriptor Blocks:
  * 10.11.12.5, from 10.11.12.5, 1d22h ago, via FastEthernet0/1.9
      Route metric is 30720, traffic share count is 1
      Total delay is 200 microseconds, minimum bandwidth is 100000 Kbit
      Reliability 247/255, minimum MTU 1500 bytes
      Loading 1/255, Hops 1
0
 
BasheerptAuthor Commented:
Yes!
That did the trick.
Thanks for your time and effort. I would like to know, which of the above 4 lines actually in action now?

Thanks again
0
 
rxhangoCommented:
you can see which one has matches with "sh access-list 111" command
0
 
BasheerptAuthor Commented:
These are the matches:
    10 deny tcp 192.168.9.0 0.0.0.255 any eq 445 (5 matches)
    20 deny tcp 192.168.9.0 0.0.0.255 eq 445 any
    30 deny tcp 192.168.9.0 0.0.0.255 any eq 139 (16 matches)
    40 deny tcp 192.168.9.0 0.0.0.255 eq 139 any
    50 permit ip any any (38463 matches)

It means, the second and 4th lines i can safely remove?
0
 
rxhangoCommented:
ti means that this two rows make the trick. It is needed to block two ports 139 and 445

    10 deny tcp 192.168.9.0 0.0.0.255 any eq 445 (5 matches)
       10 deny tcp 192.168.9.0 0.0.0.255 any eq 139 (5 matches)

0
 
BasheerptAuthor Commented:
God bless you, everything is in order now. Thanks for your sincere help..:)
0
 
BasheerptAuthor Commented:
Nice support! thanks to EE and rxchango
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.