off topic: Cisco access lists

J.L.Francois jlf@magusnet.gilbert.az.us
Tue, 25 Jul 2000 11:49:38 -0700 

It seems like on Tue, Jul 25, 2000 at 11:15:29AM -0700, Mike Starke scribbled:
Orig Msg> I too would be interested if you wouldn't mind
Orig Msg> passing along the info.
Orig Msg> 
Orig Msg> On Tue, Jul 25, 2000 at 10:49:17AM -0700, Joel Dudley wrote:
Orig Msg>  This is exactly what I was looking for!  Thanks a ton.  I thank you for your
Orig Msg>  generosity.  I wish there were a way for me to return the favor.
Orig Msg>  
Orig Msg>  - Joel

Standard Fee:
1 - suckling pig
1 - yearling goat
Perform standard RFC compliant ritual sacrifice as 
needed until I am pleased :)
NOTE: No burnt offerings as I am trying to quit smoking.

==============================================
Sample Cisco ACL to block an incoming port
==============================================

Here's an extended access list you would use to block netblocks from
reaching your Windows Boxen.
I'm choosing to use an access-list id of 130 just for example.

---   go into config mode
Router#config term
---   clear the access list if it existed
Router(config)#no access-list 130
---   allow established connections (this is generally a good idea)
Router(config)#access-list 130 permit tcp any any established
---   allow connections from trusted networks to anywhere (class-C)
Router(config)#access-list 130 permit tcp 204.99.99.0 0.0.0.255 any 
---   ... and a class-B - notice access-lists use wildcard masks - the
---   exact opposite of netmasks.
Router(config)#access-list 130 permit tcp 149.11.0.0 0.0.255.255 any
---   start denying evil connections (153.34.0.0-153.35.255.255)
Router(config)#access-list 130 deny tcp 153.34.0.0 0.1.255.255 any eq 139
---   (153.36.0.0-153.37.255.255)
Router(config)#access-list 130 deny tcp 153.36.0.0 0.1.255.255 any eq 139
---   (208.250.0.0-208.251.255.255)
Router(config)#access-list 130 deny tcp 208.250.0.0 0.1.255.255 any eq 139
---   (208.252.0.0-208.255.255.255)
Router(config)#access-list 130 deny tcp 208.252.0.0 0.3.255.255 any eq 139
---   ALLOW everything else - without this, nothing will get through.
Router(config)#access-list 130 permit ip any any
---   No select the interface you want to filter at, pref. the one connected
---   to your upstream provider...
Router(config)#int s0
---   apply access list 130 to this interface, for incoming packets only
Router(config-int)#ip access-group 130 in
---   exit and save to nvram
Router(config-int)#exit
Router(config)#exit
Router#write mem
---   or use 'copy running startup'

Now you'll be blocking all tcp connections from anywhere in those netblocks
to any internal host on port 139.  
If you want nothing at all to get thru the router to 139 then substitute
0.0.0.0 for the IP blocks I used in the example above.


HTH. HAND.
Jean Francois Sends...
President & CEO - MagusNet, Inc., MagusNet.com, MagusNet.Gilbert.AZ.US
Director Of Managed Services - OpNIX,Inc., www.opnix.com
OpNIX - Simply Better Bandwidth