Thanks everyone for helping out. I think Jason's suggestion along with the
permit any/any line is probably the way to go for us. So basically, I will
have the following:
access-list 101 deny udp any 195.50.79.0 0.0.0.255 range 137 139
access-list 101 deny tcp any 195.50.79.0 0.0.0.255 range 137 139
access-list 101 permit ip any any
Then, I will type the following:
en
# config terminal
(config) int Hssi1/0
(config-if) ip access-group 101 in
I'm assumming I need the "in" part because the default appears to be out on
the test router I am experimenting on and I want this to apply to incoming
traffic. Is this correct?
Thx again,
Scott
"J Roysdon" [EMAIL PROTECTED] wrote in message
946a0p$7vo$[EMAIL PROTECTED]">news:946a0p$7vo$[EMAIL PROTECTED]...
Remember, the fewer lines an ACL is, the faster it is parsed, the faster
packets pass:
access-list 101 deny udp any 195.50.79.0 0.0.0.255 range 137 139
access-list 101 deny tcp any 195.50.79.0 0.0.0.255 range 137 139
--
Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+
List email: [EMAIL PROTECTED]
Homepage: http://jason.artoo.net/
Cisco resources: http://r2cisco.artoo.net/
"John Starta" [EMAIL PROTECTED] wrote in message
5.0.2.1.2.20010117135118.037b0d10@popcorn">news:5.0.2.1.2.20010117135118.037b0d10@popcorn...
Scott,
The following example will block the full suite of NetBios inbound to
you
(presumably 195.50.79.0/24). This is not a complete ACL -- it will be
necessary to either specifically allow the traffic you desire inbound,
or
add another line to the bottom (currently commented out) permitting
everything else.
access-list 101 deny udp any 195.50.79.0 0.0.0.255 eq netbios-dgm
access-list 101 deny udp any 195.50.79.0 0.0.0.255 eq netbios-ns
access-list 101 deny udp any 195.50.79.0 0.0.0.255 eq netbios-ss
access-list 101 deny tcp any 195.50.79.0 0.0.0.255 eq 137
access-list 101 deny tcp any 195.50.79.0 0.0.0.255 eq 138
access-list 101 deny tcp any 195.50.79.0 0.0.0.255 eq 139
! access-list 101 permit ip any any
jas
At 07:35 PM 1/17/01 +, Scott S. wrote:
Our WatchGuard FireBox seems to be getting overloaded by the number of
NetBios packets it is denying. We are thinking that it might be a good
idea
of blocking these at our router instead. It is a Cisco 7200 with a
pretty
light load. Does this sound like a sensible idea? If so I was
thinking
the
following rule would be appropriate:
access-list 101 deny any 195.50.79.0 eq 137
Is this correct, or am I way off?
Thanks in advance for any replies.
Sincerely,
Scott
_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]