off topic: Cisco access lists

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: JoelDudleyjoel@silverw.com
Date:  
Subject: off topic: Cisco access lists
How about some land and titles in Northern Wisconsin? I can also give you
the hand of my firstborn daughter in marriage and a dowry of llamas and
pigs. That is all i have to work with here. OK sorry for the silly post,
but the caffine is at peak concentration in my blood.

- Joel

----- Original Message -----
From: "J.L.Francois" <>
To: <>
Sent: Tuesday, July 25, 2000 11:49 AM
Subject: Re: off topic: Cisco access lists


> It seems like on Tue, Jul 25, 2000 at 11:15:29AM -0700, Mike Starke

scribbled:
> Orig Msg> I too would be interested if you wouldn't mind
> Orig Msg> passing along the info.
> Orig Msg>
> Orig Msg> On Tue, Jul 25, 2000 at 10:49:17AM -0700, Joel Dudley wrote:
> Orig Msg> This is exactly what I was looking for! Thanks a ton. I thank

you for your
> Orig Msg> generosity. I wish there were a way for me to return the

favor.
> Orig Msg>
> Orig Msg> - Joel
>
> Standard Fee:
> 1 - suckling pig
> 1 - yearling goat
> Perform standard RFC compliant ritual sacrifice as
> needed until I am pleased :)
> NOTE: No burnt offerings as I am trying to quit smoking.
>
> ==============================================
> Sample Cisco ACL to block an incoming port
> ==============================================
>
> Here's an extended access list you would use to block netblocks from
> reaching your Windows Boxen.
> I'm choosing to use an access-list id of 130 just for example.
>
> --- go into config mode
> Router#config term
> --- clear the access list if it existed
> Router(config)#no access-list 130
> --- allow established connections (this is generally a good idea)
> Router(config)#access-list 130 permit tcp any any established
> --- allow connections from trusted networks to anywhere (class-C)
> Router(config)#access-list 130 permit tcp 204.99.99.0 0.0.0.255 any
> --- ... and a class-B - notice access-lists use wildcard masks - the
> --- exact opposite of netmasks.
> Router(config)#access-list 130 permit tcp 149.11.0.0 0.0.255.255 any
> --- start denying evil connections (153.34.0.0-153.35.255.255)
> Router(config)#access-list 130 deny tcp 153.34.0.0 0.1.255.255 any eq 139
> --- (153.36.0.0-153.37.255.255)
> Router(config)#access-list 130 deny tcp 153.36.0.0 0.1.255.255 any eq 139
> --- (208.250.0.0-208.251.255.255)
> Router(config)#access-list 130 deny tcp 208.250.0.0 0.1.255.255 any eq 139
> --- (208.252.0.0-208.255.255.255)
> Router(config)#access-list 130 deny tcp 208.252.0.0 0.3.255.255 any eq 139
> --- ALLOW everything else - without this, nothing will get through.
> Router(config)#access-list 130 permit ip any any
> --- No select the interface you want to filter at, pref. the one

connected
> --- to your upstream provider...
> Router(config)#int s0
> --- apply access list 130 to this interface, for incoming packets only
> Router(config-int)#ip access-group 130 in
> --- exit and save to nvram
> Router(config-int)#exit
> Router(config)#exit
> Router#write mem
> --- or use 'copy running startup'
>
> Now you'll be blocking all tcp connections from anywhere in those

netblocks
> to any internal host on port 139.
> If you want nothing at all to get thru the router to 139 then substitute
> 0.0.0.0 for the IP blocks I used in the example above.
>
>
> HTH. HAND.
> Jean Francois Sends...
> President & CEO - MagusNet, Inc., MagusNet.com, MagusNet.Gilbert.AZ.US
> Director Of Managed Services - OpNIX,Inc., www.opnix.com
> OpNIX - Simply Better Bandwidth
>
>
>
> _______________________________________________
> Plug-discuss mailing list -
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss