Question

Locked

How to configure cisco access-list for ports other than well known ports

By petersan.jeanpierre ·
I am trying to configure an extended access-list
on a cisco 3620 and I am having a difficult time
getting it to work. The thing is that some
application on our server runs on port like 5070
and 5001 etc... when I configure the access-list
as follow.

ip access-list extended FILTER-WAN-IN
permit tcp any xxx.xxx.xx.x eq 5001
or
permit tcp any eq 5001 host xxx.xxx.xx.x eq 5001

neither of the configurations works. However,
when I configure the acl for the well known
ports like 25, 80 and so on it works fine.

what I had to do to get these ports opened is to
configure and inside source static on ethernet
0/0.

My question is; is there another way to
configure an access list for ports that is not
part of the well known list?

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Your syntax is correct

by NetMan1958 In reply to How to configure cisco ac ...

even for the well known ports you can specify the port number instead of using the service name. Perhaps if you most your entire config, something might be obvious.

Collapse -

I looked at the configuration again and again

by petersan.jeanpierre In reply to Your syntax is correct

I checked the configuration over and over and
I am getting the same result. At first I
thought my syntax was incorrect, but I
confirmed its correctness via an old CISCO
CCNA book that a friend let be borrow; and
despite of the checking and all, the access
list will not work.

Additionally, I am also trying to prevent
certain pc's on our network that are
configured via the router's dhcp pool from
going to sites other than the company's
internal and www site. since I can't get the
access-list to work right, we are constantly
having to clean-up a bunch of pc's weekly.

If anybody out there can help me with at
least the first part of the problem, (though
closely related) I would greatly appreciate
the help.

Collapse -

Need to see more

by NetMan1958 In reply to I looked at the configura ...

of your config as there are several things that could cause this issue. Post your entire config and mask any username/passwords and public IP Addresses for security.

Collapse -

Here is my config file. the IP addresses and passwords have been altered.

by petersan.jeanpierre In reply to Need to see more

Building configuration...

Current configuration : 2857 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router-1
!
boot-start-marker
boot-end-marker
!
enable password xxxxx
!
aaa new-model
!
!
aaa authentication login UserAuthen local
aaa authorization network GroupAuthor local
aaa session-id common
ip subnet-zero
!
!
ip cef
ip domain name devicebuilder.usa
ip name-server 2.2.2.2
ip name-server 2.2.3.2
ip dhcp excluded-address 192.168.1.1
192.168.1.100
!
ip dhcp pool Engineering
network 192.168.1.0 255.255.255.0
domain-name devicebuilder.usa
dns-server 2.2.2.2 2.2.3.2
default-router 192.168.1.1
lease 7
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description Wide Area Network interface to
SimpleNet entry 09.09.09.10
ip address 09.09.10.12 255.255.255.555
ip access-group FILTER-WAN-IN in
ip access-group FILTER-LAN-OUT out
speed auto
full-duplex
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
description Local network interface to
10.10.10.0 or 10.0.0.0 subnet
ip address 192.168.1.1 255.255.255.0
speed auto
full-duplex
!
interface Serial0/1
no ip address
shutdown
!
!
ip nat inside source list 1 interface
FastEthernet0/0 overload
ip nat inside source static tcp 192.168.1.81
25 interface FastEthernet0/0 25
ip nat inside source static tcp 192.168.1.81
3389 interface FastEthernet0/0 3389
ip nat inside source static tcp 192.168.1.81
940 interface FastEthernet0/0 940
ip nat inside source static tcp 192.168.1.81
5001 interface FastEthernet0/0 5001
no ip http server
ip http secure-server
no ip classless
ip route 0.0.0.0 0.0.0.0 199.6.25.11
!
!
!
ip access-list extended FILTER-LAN-OUT
permit ip any any
ip access-list extended FILTER-WAN-IN
permit ip any any
permit tcp any host 192.168.1.4 eq www
permit tcp any host 192.168.1.4 eq 5001
permit tcp any host 192.168.1.14 eq 3389
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0
0.0.0.255 192.168.17.0 0.0.0.255
!
!
!
!
!
line con 0
exec-timeout 0 0
speed 115200
line aux 0
line vty 0 4
password test2
transport input ssh
!
!
end

Collapse -

Try this

by NetMan1958 In reply to Here is my config file. t ...

Change your ip access-list extended FILTER-WAN-IN to this:
permit tcp any host 09.09.10.12 eq www
permit tcp any host 09.09.10.12 eq 5001
permit tcp any host 09.09.10.12 eq 3389

where 09.09.10.12 is the actual ip assigned to your interface FastEthernet0/0.

On your static NAT statements add the extendable option so that this:
ip nat inside source static tcp 192.168.1.81
25 interface FastEthernet0/0 25
looks like this:
ip nat inside source static tcp 192.168.1.81
25 interface FastEthernet0/0 25 extendable

Give that a go and post back with the results.

Back to Networks Forum
5 total posts (Page 1 of 1)  

Related Discussions

Related Forums