• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 864
  • Last Modified:

Cisco Port Block 3560 -

Hello i've a cisco 3560 router and it is connected internet from fa0/46
i have a switch on fa0/46 and i want to block an ip for some ports on fa0/45

i check out cisco 3560 has no command for "ip access-group 101 out" it has only in option

beside this when i dofirst code it does not work
when i do only second code it block all the port ip addresses for any port


how should i over come this issue ? what should be the problem ?

first :

access-list 103 permit ip any any
access-list 103 deny ip any host 77.223.156.156 
access-list 103 deny icmp any host 77.223.156.156 
access-list 103 deny tcp any host 77.223.156.156 eq 3306
access-list 103 permit tcp any host 77.223.156.156 eq 80 
access-list 103 permit tcp any host 77.223.156.156 eq 21
access-list 103 permit tcp any host 77.223.156.156 eq 23
access-list 103 permit tcp any host 77.223.156.156 eq 110
access-list 103 permit tcp any host 77.223.156.156 eq 25
access-list 103 permit tcp any host 77.223.156.156 eq 443
access-list 103 permit tcp any host 77.223.156.156 eq 3389
access-list 103 permit tcp any host 77.223.156.156 eq 53
access-list 103 permit udp any host 77.223.156.156 eq 53
int fast 0/45 
ip access-group 103 in

second : 

access-list 103 deny icmp any host 77.223.156.156 

int fast 0/45 
ip access-group 103 in

Open in new window

0
3XLcom
Asked:
3XLcom
  • 15
  • 13
1 Solution
 
SouljaCommented:
Don't you already have a question open regarding this?
0
 
3XLcomAuthor Commented:
It has gone with lots of answer without any correct one so i opened a cleared one !! and i will close it please write if you have an answer this is emergency
0
 
SouljaCommented:
Please better explain your network setup. What is connected to what? Provide more details. We can't see what you are looking at.
0
Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

 
3XLcomAuthor Commented:
This is my standart router config ;
and the main input is fas0/46

the ip address is assigned to a machine on 0/45

that is all
Cisco.ROUTER.Com.Tr#show running-config
Building configuration...

Current configuration : 9008 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco.ROUTER.Com.Tr
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$IX6Y$tYfuOGmsp.gcWUTH9yimO/
enable password gbc*1283
!
username admin password 0 xxxxxxxxx
username root password 0 xxxxxxxxx
!
!
no aaa new-model
system mtu routing 1500
vtp domain ROUTER.com.tr
vtp mode transparent
authentication mac-move permit
ip subnet-zero
ip routing
!
!
!
mls qos
!
crypto pki trustpoint TP-self-signed-1446943872
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1446943872
 revocation-check none
 rsakeypair TP-self-signed-1446943872
!
!
crypto pki certificate chain TP-self-signed-1446943872
 certificate self-signed 01
  quit
!
!
!
spanning-tree mode pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 2
 name GeneralInput
!
vlan 99
 name Local
!
vlan 100
 name Internet
!
!
!
interface Loopback0
 no ip address
!
interface Loopback3
 no ip address
!
interface FastEthernet0/1
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/2
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/3
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/4
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/5
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/6
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/7
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/8
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/9
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/10
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/11
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/12
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/13
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/14
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/15
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/16
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/17
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/18
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/19
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/20
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/21
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/22
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/23
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/24
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/25
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/26
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/27
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/28
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/29
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/30
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/31
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/32
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/33
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/34
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/35
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/36
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/37
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/38
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/39
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/40
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/41
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/42
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/43
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/44
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/45
 switchport access vlan 99
 switchport mode access
!
interface FastEthernet0/46
 switchport access vlan 100
!
interface FastEthernet0/47
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/48
 switchport access vlan 2
 switchport mode access
 spanning-tree portfast
 spanning-tree bpdufilter enable
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface Vlan1
 no ip address
!
interface Vlan2
 no ip address
!
interface Vlan99
 ip address xx.xx.xx.1 255.255.255.0
!
interface Vlan100
 ip address 91.191.170.50 255.255.255.252
!
ip default-gateway 91.191.170.49
ip classless
ip route 0.0.0.0 0.0.0.0 91.191.170.49
ip http server
ip http secure-server
!
ip sla enable reaction-alerts
access-list 103 deny   icmp any host xx.xx.xx.156
access-list dynamic-extended
snmp-server community ROUTER RW
snmp-server community ROUTER RW
snmp-server location Izmir, Ege, TR
snmp-server contact Cahit Eyigunlu - Network Admin - 553-8166268
snmp-server chassis-id Cisco3600-Router
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps transceiver all
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps cluster
snmp-server enable traps entity
snmp-server enable traps cpu threshold
snmp-server enable traps power-ethernet group 1
snmp-server enable traps power-ethernet police
snmp-server enable traps rep
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps flash insertion removal
snmp-server enable traps port-security
snmp-server enable traps auth-framework sec-violation
snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps event-manager
snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps energywise
snmp-server enable traps bridge newroot topologychange
snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
snmp-server enable traps syslog
snmp-server enable traps rtr
snmp-server enable traps mac-notification change move threshold
snmp-server enable traps vlan-membership
snmp-server enable traps errdisable
snmp-server host xx.xx.xx.7 version 2c ROUTER
!
!
line con 0
line vty 0 4
 password xxxxxxxxx
 login local
 transport input ssh
line vty 5 15
 password xxxxxxxxx
 login
 transport input ssh
line vty 5 15
 password xxxxxxxxx
 login
 transport input ssh
!
end

Open in new window

0
 
SouljaCommented:
Okay, so are you trying to restrict traffic to the device sitting on port 45 or traffic from the device on port 45.
0
 
3XLcomAuthor Commented:
exactly yes. for only one ip not for all ip addresses on the 45th port

0
 
SouljaCommented:
What exactly is connected to port 45? And you didn't answer my question. Are you restricting traffic FROM the device or TO the device. Which one?
0
 
3XLcomAuthor Commented:
Sir There is a L2 switch connected to the PORT45 and it has 12 servers connected to this switch.
I want to restrict the traffic from the cisco depending on the ip address.

0
 
SouljaCommented:
If you have a switch connected to that port, I would suggest creating an ACL applied to the vlan 99 interface instead of the port. This way you have the option of applying it inbound or outbound.
0
 
3XLcomAuthor Commented:
so should you provide me a sample acl for int fast 0/45 to block all ports except the given ip addresses below :
access-list 103 permit tcp any host 77.223.156.156 eq 80
access-list 103 permit tcp any host 77.223.156.156 eq 21
access-list 103 permit tcp any host 77.223.156.156 eq 23
access-list 103 permit tcp any host 77.223.156.156 eq 110
access-list 103 permit tcp any host 77.223.156.156 eq 25
access-list 103 permit tcp any host 77.223.156.156 eq 443
access-list 103 permit tcp any host 77.223.156.156 eq 3389
access-list 103 permit tcp any host 77.223.156.156 eq 53
access-list 103 permit udp any host 77.223.156.156 eq 53

for the specific ip address

0
 
3XLcomAuthor Commented:
check this out please i have added only permit access rules to the 103 then i have attach it to the vlan 99 for in and for out both of them cut all the network. you should see from the ping windows
cisco.png
0
 
SouljaCommented:
Several questions:

- Do you want to allow other devices on vlan 99 to be able to communicate to this server openly?
- Do you want the other servers on the switch to be able to communicate with this server openly?
- Are you only trying to restrict access to that server from other vlans? or from what?
0
 
3XLcomAuthor Commented:
- Do you want to allow other devices on vlan 99 to be able to communicate to this server openly? YES there are 15 servers on vlan 99

- Do you want the other servers on the switch to be able to communicate with this server openly? Yes

Are you only trying to restrict access to that server from other vlans? or from what?

This ip is given to a Virtual Machine os. and it is getting attack from some ports so i just only want to block all ports for only one ip address. THIS IS ALL.
There are other servers on the same port using the ip addresses from the same C class .

do you have any other question ?

I JUST WANT TO BLOK ONE IP ADRESS PORT'S FOR INCOMING CONNECTIONS FROM THE INTERNET.

I do not know how should i get more clear
0
 
3XLcomAuthor Commented:
Please help this is emergency i just want to block  connections that come to this ip from the global network - internet - for all ports except the givens.
it is no problem to block the same ports or not on the local network.
0
 
SouljaCommented:
Try adding:

access-list 103 permit tcp any any established


then

interface vlan 100
ip access-group 103 in

This will be applied on your outside interface. Let me know your results.
0
 
3XLcomAuthor Commented:
Result is same 77.223.156.156 and 77.223.156.152 both of them effected from the access list.

this is what i write into access-list 103

access-list 103 permit tcp any host 77.223.156.156 eq 80
access-list 103 permit tcp any host 77.223.156.156 eq 21
access-list 103 permit tcp any host 77.223.156.156 eq 23
access-list 103 permit tcp any host 77.223.156.156 eq 110
access-list 103 permit tcp any host 77.223.156.156 eq 25
access-list 103 permit tcp any host 77.223.156.156 eq 443
access-list 103 permit tcp any host 77.223.156.156 eq 3389
access-list 103 permit tcp any host 77.223.156.156 eq 53
access-list 103 permit udp any host 77.223.156.156 eq 53
access-list 103 permit tcp any any established

and all connection gone for network i mean for all cisco ports affected from the acl.
cisco2.png
0
 
3XLcomAuthor Commented:
and this is the result for show access list



Cisco.xxxx.Com.xx#show access-lists
Extended IP access list 103
    10 permit tcp any host 77.223.156.156 eq www
    20 permit tcp any host 77.223.156.156 eq ftp
    30 permit tcp any host 77.223.156.156 eq telnet
    40 permit tcp any host 77.223.156.156 eq pop3
    50 permit tcp any host 77.223.156.156 eq smtp
    60 permit tcp any host 77.223.156.156 eq 443
    70 permit tcp any host 77.223.156.156 eq 3389
    80 permit tcp any host 77.223.156.156 eq domain
    90 permit udp any host 77.223.156.156 eq domain
    100 permit tcp any any established (37 matches)
0
 
SouljaCommented:

Okay remove the acl from the interface vlan 100

And Try:

access-list 103 permit tcp any host 77.223.156.156 eq 80
access-list 103 permit tcp any host 77.223.156.156 eq 21
access-list 103 permit tcp any host 77.223.156.156 eq 23
access-list 103 permit tcp any host 77.223.156.156 eq 110
access-list 103 permit tcp any host 77.223.156.156 eq 25
access-list 103 permit tcp any host 77.223.156.156 eq 443
access-list 103 permit tcp any host 77.223.156.156 eq 3389
access-list 103 permit tcp any host 77.223.156.156 eq 53
access-list 103 permit udp any host 77.223.156.156 eq 53
access-list 103 deny ip any host 77.223.156.156
access-list 103 permit ip any any


interface interface vlan 99
ip access-group 103 out
0
 
3XLcomAuthor Commented:
I think it is ok. :) should i log 77.223.156.156 connections and how should i read the logs ? i want to see if attack has blocked or not that come to unexpected ports
cisco3.png
0
 
SouljaCommented:
I can't see png files, but if you want to log just enter log at the end of the acl line entry, so for denies enter log at the end of the deny line.

access-list 103 deny ip any host 77.223.156.156 log
0
 
3XLcomAuthor Commented:
where should i read this logs after ?
0
 
SouljaCommented:
sh logging
0
 
SouljaCommented:
Even better, set yourself up a syslog server like kiwi or splunk and send the logs to that server. Just enter the command:


logging x.x.x.x


in your switch config.
0
 
3XLcomAuthor Commented:
you saved my day king regards
0
 
3XLcomAuthor Commented:
should i keep log for all connections ?
0
 
SouljaCommented:
No Problem, that is what we are here for. I just had to pull all that information out of you that you were withholding  :)
0
 
SouljaCommented:
You can if you want, but not necessary.
0
 
3XLcomAuthor Commented:
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 15
  • 13
Tackle projects and never again get stuck behind a technical roadblock.
Join Now