Re: How to block ports 1024 & up in a cisco access-list

Anonymous Thu, 10 Jun 1999 03:40:58 -0700
Gerardo,

You most probably run in the common mistake with Cisco ACL :-)

When you specify 'deny tcp any any eq 113' you actually specify
113 (IDENT from the top of my head) on the remote site, not on yours.

You should try 'deny tcp any eq 113 any' or apply the ACL on the
reverse direction (inbound in place of outbound).

Hope this helps

-eric


At 10:36 02/06/1999 +0000, Gerardo Soto wrote:
>Hi to everyone:
>       First of all, I would like to take a little time to express my
>greatfullness to all of you that are enrolled to this firewall list. Let 
>me tell you that eventhough posting a message sometimes is more risky
>than informative , it is a well worth it one, that is ,  as
>we all know , there are crackers enlisted , so when they see someone
>like me, asking silly questions , they inmediately launch an attack to
>the person or site requesting the information, but like I said , in my
>humble opinion , one learns and gets 5 times as much worthy information
>than , exploit attacks from the "dark side of the force ".  
>My question in turn is the following :
>I have configured my cisco router to deny-permit (with an access-list)
>some ports and protocols.
>Since ( thanks to all of you ) I could set up
>a logging machine other than the router , I am watching what is coming in
>and out of my network through the logs that i get directly from the router
>and the tcpdump . My problem is that some of the ports that I have blocked
>are still letting in some connections tcp udp for example 113.
>Also now these guys are sending tcp udp packets to ports higher than 1024
>How can I stop this and how can such actions affect my site ?
>Here is a little part of my logs:
>
>Jun  1 13:10:26 kraken2 157796: *Apr 24 19:41:14: %SEC-6-IPACCESSLOGP: list 101 
>permitted tcp 209.182.195.70(113) -> 200.38.80.1(20615), 1 packet
>Jun  1 13:30:55 kraken2 158498: *Apr 24 20:01:43: %SEC-6-IPACCESSLOGP: list 101 
>permitted tcp 209.182.195.70(113) -> 200.38.80.1(21563), 1 packet
>Jun  1 13:37:27 kraken2 158676: *Apr 24 20:08:15: %SEC-6-IPACCESSLOGP: list 101 
>permitted tcp 209.182.195.70(113) -> 200.38.80.1(21629), 1 packet
>Jun  1 14:04:51 kraken2 159546: *Apr 24 20:35:38: %SEC-6-IPACCESSLOGP: list 101 
>permitted tcp 209.182.195.70(113) -> 200.38.80.1(22635), 1 packet
>Jun  1 14:32:49 kraken2 160889: *Apr 24 21:03:36: %SEC-6-IPACCESSLOGP: list 101 
>permitted tcp 209.182.195.70(113) -> 200.38.80.1(24616), 1 packet
>Jun  1 14:53:26 kraken2 161361: *Apr 24 21:24:13: %SEC-6-IPACCESSLOGP: list 101 
>permitted tcp 209.182.195.70(113) -> 200.38.80.1(25144), 1 packet
>Jun  1 15:14:13 kraken2 162312: *Apr 24 21:44:59: %SEC-6-IPACCESSLOGP: list 101 
>permitted tcp 209.182.195.70(113) -> 200.38.80.1(25698), 1 packet
>Jun  1 15:23:03 kraken2 162444: *Apr 24 21:53:50: %SEC-6-IPACCESSLOGP: list 101 
>permitted tcp 209.182.195.70(113) -> 200.38.80.1(25906), 1 packet
>Jun  1 15:44:13 kraken2 162802: *Apr 24 22:14:59: %SEC-6-IPACCESSLOGP: list 101 
>permitted tcp 209.182.195.70(113) -> 200.38.80.1(26718), 1 packet
>Jun  1 15:48:00 kraken2 162890: *Apr 24 22:18:47: %SEC-6-IPACCESSLOGP: list 101 
>permitted tcp 209.182.195.70(113) -> 200.38.80.1(27160), 1 packet
>Jun  1 16:25:35 kraken2 163296: *Apr 24 22:56:22: %SEC-6-IPACCESSLOGP: list 101 
>permitted tcp 209.182.195.70(113) -> 200.38.80.1(29253), 1 packet
>Jun  1 16:25:37 kraken2 163302: *Apr 24 22:56:23: %SEC-6-IPACCESSLOGP: list 101 
>permitted tcp 209.182.195.70(113) -> 200.38.80.1(29254), 1 packet
>Jun  1 16:53:16 kraken2 164097: *Apr 24 23:24:02: %SEC-6-IPACCESSLOGP: list 101 
>permitted tcp 209.182.195.70(113) -> 200.38.80.1(30532), 1 packet
>Jun  1 17:23:44 kraken2 164573: *Apr 24 23:54:29: %SEC-6-IPACCESSLOGP: list 101 
>permitted tcp 209.182.195.70(113) -> 200.38.80.1(31855), 1 packet
>Jun  1 17:51:20 kraken2 164983: *Apr 25 00:22:06: %SEC-6-IPACCESSLOGP: list 101 
>permitted tcp 209.182.195.70(113) -> 200.38.80.1(1337), 1 packet
>Jun  1 18:40:54 kraken2 165700: *Apr 25 01:11:39: %SEC-6-IPACCESSLOGP: list 101 
>permitted tcp 209.182.195.70(113) -> 200.38.80.1(4205), 1 packet
>Jun  1 19:09:24 kraken2 165867: *Apr 25 01:40:10: %SEC-6-IPACCESSLOGP: list 101 
>permitted tcp 209.182.195.70(113) -> 200.38.80.1(5318), 1 packet
>Jun  1 19:39:18 kraken2 166371: *Apr 25 02:10:03: %SEC-6-IPACCESSLOGP: list 101 
>permitted tcp 209.182.195.70(113) -> 200.38.80.1(6944), 1 packet
>Jun  1 21:20:50 kraken2 167041: *Apr 25 03:51:34: %SEC-6-IPACCESSLOGP: list 101 
>permitted tcp 209.182.195.70(113) -> 200.38.80.1(11283), 1 packet
>Jun  1 21:28:22 kraken2 167092: *Apr 25 03:59:06: %SEC-6-IPACCESSLOGP: list 101 
>permitted tcp 209.182.195.70(113) -> 200.38.80.1(11853), 1 packet
>Jun  1 21:51:40 kraken2 167243: *Apr 25 04:22:24: %SEC-6-IPACCESSLOGP: list 101 
>permitted tcp 209.182.195.70(113) -> 200.38.80.1(12876), 1 packet
>Jun  1 23:12:10 kraken2 167495: *Apr 25 05:42:53: %SEC-6-IPACCESSLOGP: list 101 
>permitted tcp 209.182.195.70(113) -> 200.38.80.1(16455), 1 packet
>Jun  2 01:16:52 kraken2 167765: *Apr 25 07:47:34: %SEC-6-IPACCESSLOGP: list 101 
>permitted tcp 209.182.195.70(113) -> 200.38.80.1(21536), 1 packet
>Jun  2 01:58:35 kraken2 167844: *Apr 25 08:29:17: %SEC-6-IPACCESSLOGP: list 101 
>permitted tcp 209.182.195.70(113) -> 200.38.80.1(22890), 1 packet
>Jun  2 02:17:20 kraken2 167866: *Apr 25 08:48:03: %SEC-6-IPACCESSLOGP: list 101 
>permitted tcp 209.182.195.70(113) -> 200.38.80.1(24300), 1 packet
>Jun  2 02:53:10 kraken2 167903: *Apr 25 09:23:52: %SEC-6-IPACCESSLOGP: list 101 
>permitted tcp 209.182.195.70(113) -> 200.38.80.1(25372), 1 packet
>Jun  2 06:06:17 kraken2 168056: *Apr 25 12:36:58: %SEC-6-IPACCESSLOGP: list 101 
>permitted tcp 209.182.195.70(113) -> 200.38.80.1(2100), 1 packet
>Jun  2 06:14:58 kraken2 168067: *Apr 25 12:45:38: %SEC-6-IPACCESSLOGP: list 101 
>permitted tcp 209.182.195.70(113) -> 200.38.80.1(2575), 1 packet
>Jun  2 07:54:59 kraken2 168175: *Apr 25 14:25:39: %SEC-6-IPACCESSLOGP: list 101 
>permitted tcp 209.182.195.70(113) -> 200.38.80.1(6954), 1 packet
>Jun  2 07:55:54 kraken2 168176: *Apr 25 14:26:34: %SEC-6-IPACCESSLOGP: list 101 
>permitted tcp 209.182.195.70(113) -> 200.38.80.1(7021), 1 packet
>Jun  2 08:00:02 kraken2 168181: *Apr 25 14:30:42: %SEC-6-IPACCESSLOGP: list 101 
>permitted tcp 209.182.195.70(113) -> 200.38.80.1(7277), 1 packet
>Jun  2 08:38:01 kraken2 168280: *Apr 25 15:08:40: %SEC-6-IPACCESSLOGP: list 101 
>permitted tcp 209.182.195.70(113) -> 200.38.80.1(8809), 1 packet
>Jun  2 09:20:04 kraken2 168399: *Apr 25 15:50:43: %SEC-6-IPACCESSLOGP: list 101 
>permitted tcp 209.182.195.70(113) -> 200.38.80.1(10299), 1 packet
>Jun  2 09:46:07 kraken2 168488: *Apr 25 16:16:46: %SEC-6-IPACCESSLOGP: list 101 
>permitted tcp 209.182.195.70(113) -> 200.38.80.1(12174), 1 packet
>Jun  2 09:56:06 kraken2 168520: *Apr 25 16:26:45: %SEC-6-IPACCESSLOGP: list 101 
>permitted tcp 209.182.195.70(113) -> 200.38.80.1(12411), 1 packet
>
>Let me assure you that I have:
> access-list 101 deny tcp any any eq 113 log
>included in  my access-list
>       
>                       Thanks in advance !!!!!
>Gerardo,
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
> 
Eric Vyncke                        
Consulting Engineer                Cisco Systems EMEA
Phone:  +32-2-778.4677             Fax:    +32-2-778.4300
E-mail: [EMAIL PROTECTED]          Mobile: +32-75-312.458
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
Re: How to block ports 1024 & up in a cisco access-list

Reply via email to
