3XLcom
asked on
Cisco Port Block 3560 -
Hello i've a cisco 3560 router and it is connected internet from fa0/46
i have a switch on fa0/46 and i want to block an ip for some ports on fa0/45
i check out cisco 3560 has no command for "ip access-group 101 out" it has only in option
beside this when i dofirst code it does not work
when i do only second code it block all the port ip addresses for any port
how should i over come this issue ? what should be the problem ?
i have a switch on fa0/46 and i want to block an ip for some ports on fa0/45
i check out cisco 3560 has no command for "ip access-group 101 out" it has only in option
beside this when i dofirst code it does not work
when i do only second code it block all the port ip addresses for any port
how should i over come this issue ? what should be the problem ?
first :
access-list 103 permit ip any any
access-list 103 deny ip any host 77.223.156.156
access-list 103 deny icmp any host 77.223.156.156
access-list 103 deny tcp any host 77.223.156.156 eq 3306
access-list 103 permit tcp any host 77.223.156.156 eq 80
access-list 103 permit tcp any host 77.223.156.156 eq 21
access-list 103 permit tcp any host 77.223.156.156 eq 23
access-list 103 permit tcp any host 77.223.156.156 eq 110
access-list 103 permit tcp any host 77.223.156.156 eq 25
access-list 103 permit tcp any host 77.223.156.156 eq 443
access-list 103 permit tcp any host 77.223.156.156 eq 3389
access-list 103 permit tcp any host 77.223.156.156 eq 53
access-list 103 permit udp any host 77.223.156.156 eq 53
int fast 0/45
ip access-group 103 in
second :
access-list 103 deny icmp any host 77.223.156.156
int fast 0/45
ip access-group 103 in
Soulja
Don't you already have a question open regarding this?
ASKER
It has gone with lots of answer without any correct one so i opened a cleared one !! and i will close it please write if you have an answer this is emergency
Please better explain your network setup. What is connected to what? Provide more details. We can't see what you are looking at.
ASKER
This is my standart router config ;
and the main input is fas0/46
the ip address is assigned to a machine on 0/45
that is all
and the main input is fas0/46
the ip address is assigned to a machine on 0/45
that is all
Cisco.ROUTER.Com.Tr#show running-config
Building configuration...
Current configuration : 9008 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco.ROUTER.Com.Tr
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$IX6Y$tYfuOGmsp.gcWUTH9yimO/
enable password gbc*1283
!
username admin password 0 xxxxxxxxx
username root password 0 xxxxxxxxx
!
!
no aaa new-model
system mtu routing 1500
vtp domain ROUTER.com.tr
vtp mode transparent
authentication mac-move permit
ip subnet-zero
ip routing
!
!
!
mls qos
!
crypto pki trustpoint TP-self-signed-1446943872
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1446943872
revocation-check none
rsakeypair TP-self-signed-1446943872
!
!
crypto pki certificate chain TP-self-signed-1446943872
certificate self-signed 01
quit
!
!
!
spanning-tree mode pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 2
name GeneralInput
!
vlan 99
name Local
!
vlan 100
name Internet
!
!
!
interface Loopback0
no ip address
!
interface Loopback3
no ip address
!
interface FastEthernet0/1
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/2
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/3
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/4
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/5
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/6
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/7
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/8
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/9
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/10
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/11
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/12
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/13
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/14
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/15
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/16
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/17
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/18
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/19
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/20
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/21
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/22
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/23
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/24
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/25
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/26
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/27
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/28
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/29
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/30
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/31
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/32
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/33
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/34
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/35
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/36
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/37
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/38
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/39
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/40
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/41
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/42
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/43
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/44
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/45
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/46
switchport access vlan 100
!
interface FastEthernet0/47
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/48
switchport access vlan 2
switchport mode access
spanning-tree portfast
spanning-tree bpdufilter enable
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface Vlan1
no ip address
!
interface Vlan2
no ip address
!
interface Vlan99
ip address xx.xx.xx.1 255.255.255.0
!
interface Vlan100
ip address 91.191.170.50 255.255.255.252
!
ip default-gateway 91.191.170.49
ip classless
ip route 0.0.0.0 0.0.0.0 91.191.170.49
ip http server
ip http secure-server
!
ip sla enable reaction-alerts
access-list 103 deny icmp any host xx.xx.xx.156
access-list dynamic-extended
snmp-server community ROUTER RW
snmp-server community ROUTER RW
snmp-server location Izmir, Ege, TR
snmp-server contact Cahit Eyigunlu - Network Admin - 553-8166268
snmp-server chassis-id Cisco3600-Router
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps transceiver all
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps cluster
snmp-server enable traps entity
snmp-server enable traps cpu threshold
snmp-server enable traps power-ethernet group 1
snmp-server enable traps power-ethernet police
snmp-server enable traps rep
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps flash insertion removal
snmp-server enable traps port-security
snmp-server enable traps auth-framework sec-violation
snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps event-manager
snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps energywise
snmp-server enable traps bridge newroot topologychange
snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
snmp-server enable traps syslog
snmp-server enable traps rtr
snmp-server enable traps mac-notification change move threshold
snmp-server enable traps vlan-membership
snmp-server enable traps errdisable
snmp-server host xx.xx.xx.7 version 2c ROUTER
!
!
line con 0
line vty 0 4
password xxxxxxxxx
login local
transport input ssh
line vty 5 15
password xxxxxxxxx
login
transport input ssh
line vty 5 15
password xxxxxxxxx
login
transport input ssh
!
end
Okay, so are you trying to restrict traffic to the device sitting on port 45 or traffic from the device on port 45.
ASKER
exactly yes. for only one ip not for all ip addresses on the 45th port
What exactly is connected to port 45? And you didn't answer my question. Are you restricting traffic FROM the device or TO the device. Which one?
ASKER
Sir There is a L2 switch connected to the PORT45 and it has 12 servers connected to this switch.
I want to restrict the traffic from the cisco depending on the ip address.
I want to restrict the traffic from the cisco depending on the ip address.
If you have a switch connected to that port, I would suggest creating an ACL applied to the vlan 99 interface instead of the port. This way you have the option of applying it inbound or outbound.
ASKER
so should you provide me a sample acl for int fast 0/45 to block all ports except the given ip addresses below :
access-list 103 permit tcp any host 77.223.156.156 eq 80
access-list 103 permit tcp any host 77.223.156.156 eq 21
access-list 103 permit tcp any host 77.223.156.156 eq 23
access-list 103 permit tcp any host 77.223.156.156 eq 110
access-list 103 permit tcp any host 77.223.156.156 eq 25
access-list 103 permit tcp any host 77.223.156.156 eq 443
access-list 103 permit tcp any host 77.223.156.156 eq 3389
access-list 103 permit tcp any host 77.223.156.156 eq 53
access-list 103 permit udp any host 77.223.156.156 eq 53
for the specific ip address
access-list 103 permit tcp any host 77.223.156.156 eq 80
access-list 103 permit tcp any host 77.223.156.156 eq 21
access-list 103 permit tcp any host 77.223.156.156 eq 23
access-list 103 permit tcp any host 77.223.156.156 eq 110
access-list 103 permit tcp any host 77.223.156.156 eq 25
access-list 103 permit tcp any host 77.223.156.156 eq 443
access-list 103 permit tcp any host 77.223.156.156 eq 3389
access-list 103 permit tcp any host 77.223.156.156 eq 53
access-list 103 permit udp any host 77.223.156.156 eq 53
for the specific ip address
ASKER
check this out please i have added only permit access rules to the 103 then i have attach it to the vlan 99 for in and for out both of them cut all the network. you should see from the ping windows
cisco.png
cisco.png
Several questions:
- Do you want to allow other devices on vlan 99 to be able to communicate to this server openly?
- Do you want the other servers on the switch to be able to communicate with this server openly?
- Are you only trying to restrict access to that server from other vlans? or from what?
- Do you want to allow other devices on vlan 99 to be able to communicate to this server openly?
- Do you want the other servers on the switch to be able to communicate with this server openly?
- Are you only trying to restrict access to that server from other vlans? or from what?
ASKER
- Do you want to allow other devices on vlan 99 to be able to communicate to this server openly? YES there are 15 servers on vlan 99
- Do you want the other servers on the switch to be able to communicate with this server openly? Yes
Are you only trying to restrict access to that server from other vlans? or from what?
This ip is given to a Virtual Machine os. and it is getting attack from some ports so i just only want to block all ports for only one ip address. THIS IS ALL.
There are other servers on the same port using the ip addresses from the same C class .
do you have any other question ?
I JUST WANT TO BLOK ONE IP ADRESS PORT'S FOR INCOMING CONNECTIONS FROM THE INTERNET.
I do not know how should i get more clear
- Do you want the other servers on the switch to be able to communicate with this server openly? Yes
Are you only trying to restrict access to that server from other vlans? or from what?
This ip is given to a Virtual Machine os. and it is getting attack from some ports so i just only want to block all ports for only one ip address. THIS IS ALL.
There are other servers on the same port using the ip addresses from the same C class .
do you have any other question ?
I JUST WANT TO BLOK ONE IP ADRESS PORT'S FOR INCOMING CONNECTIONS FROM THE INTERNET.
I do not know how should i get more clear
ASKER
Please help this is emergency i just want to block connections that come to this ip from the global network - internet - for all ports except the givens.
it is no problem to block the same ports or not on the local network.
it is no problem to block the same ports or not on the local network.
Try adding:
access-list 103 permit tcp any any established
then
interface vlan 100
ip access-group 103 in
This will be applied on your outside interface. Let me know your results.
access-list 103 permit tcp any any established
then
interface vlan 100
ip access-group 103 in
This will be applied on your outside interface. Let me know your results.
ASKER
Result is same 77.223.156.156 and 77.223.156.152 both of them effected from the access list.
this is what i write into access-list 103
access-list 103 permit tcp any host 77.223.156.156 eq 80
access-list 103 permit tcp any host 77.223.156.156 eq 21
access-list 103 permit tcp any host 77.223.156.156 eq 23
access-list 103 permit tcp any host 77.223.156.156 eq 110
access-list 103 permit tcp any host 77.223.156.156 eq 25
access-list 103 permit tcp any host 77.223.156.156 eq 443
access-list 103 permit tcp any host 77.223.156.156 eq 3389
access-list 103 permit tcp any host 77.223.156.156 eq 53
access-list 103 permit udp any host 77.223.156.156 eq 53
access-list 103 permit tcp any any established
and all connection gone for network i mean for all cisco ports affected from the acl.
cisco2.png
this is what i write into access-list 103
access-list 103 permit tcp any host 77.223.156.156 eq 80
access-list 103 permit tcp any host 77.223.156.156 eq 21
access-list 103 permit tcp any host 77.223.156.156 eq 23
access-list 103 permit tcp any host 77.223.156.156 eq 110
access-list 103 permit tcp any host 77.223.156.156 eq 25
access-list 103 permit tcp any host 77.223.156.156 eq 443
access-list 103 permit tcp any host 77.223.156.156 eq 3389
access-list 103 permit tcp any host 77.223.156.156 eq 53
access-list 103 permit udp any host 77.223.156.156 eq 53
access-list 103 permit tcp any any established
and all connection gone for network i mean for all cisco ports affected from the acl.
cisco2.png
ASKER
and this is the result for show access list
Cisco.xxxx.Com.xx#show access-lists
Extended IP access list 103
10 permit tcp any host 77.223.156.156 eq www
20 permit tcp any host 77.223.156.156 eq ftp
30 permit tcp any host 77.223.156.156 eq telnet
40 permit tcp any host 77.223.156.156 eq pop3
50 permit tcp any host 77.223.156.156 eq smtp
60 permit tcp any host 77.223.156.156 eq 443
70 permit tcp any host 77.223.156.156 eq 3389
80 permit tcp any host 77.223.156.156 eq domain
90 permit udp any host 77.223.156.156 eq domain
100 permit tcp any any established (37 matches)
Cisco.xxxx.Com.xx#show access-lists
Extended IP access list 103
10 permit tcp any host 77.223.156.156 eq www
20 permit tcp any host 77.223.156.156 eq ftp
30 permit tcp any host 77.223.156.156 eq telnet
40 permit tcp any host 77.223.156.156 eq pop3
50 permit tcp any host 77.223.156.156 eq smtp
60 permit tcp any host 77.223.156.156 eq 443
70 permit tcp any host 77.223.156.156 eq 3389
80 permit tcp any host 77.223.156.156 eq domain
90 permit udp any host 77.223.156.156 eq domain
100 permit tcp any any established (37 matches)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I think it is ok. :) should i log 77.223.156.156 connections and how should i read the logs ? i want to see if attack has blocked or not that come to unexpected ports
cisco3.png
cisco3.png
I can't see png files, but if you want to log just enter log at the end of the acl line entry, so for denies enter log at the end of the deny line.
access-list 103 deny ip any host 77.223.156.156 log
access-list 103 deny ip any host 77.223.156.156 log
ASKER
where should i read this logs after ?
sh logging
Even better, set yourself up a syslog server like kiwi or splunk and send the logs to that server. Just enter the command:
logging x.x.x.x
in your switch config.
logging x.x.x.x
in your switch config.
ASKER
you saved my day king regards
ASKER
should i keep log for all connections ?
No Problem, that is what we are here for. I just had to pull all that information out of you that you were withholding :)
You can if you want, but not necessary.
ASKER
Please check out this question too :
https://www.experts-exchange.com/questions/27409089/Cisco-3560-ACL-and-Syn-Protect.html
https://www.experts-exchange.com/questions/27409089/Cisco-3560-ACL-and-Syn-Protect.html