Access Lists on a Cisco 7200
Our WatchGuard FireBox seems to be getting overloaded by the number of NetBios packets it is denying. We are thinking that it might be a good idea of blocking these at our router instead. It is a Cisco 7200 with a pretty light load. Does this sound like a sensible idea? If so I was thinking the following rule would be appropriate: access-list 101 deny any 195.50.79.0 eq 137 Is this correct, or am I way off? Thanks in advance for any replies. Sincerely, Scott _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access Lists on a Cisco 7200
Scott, The following example will block the full suite of NetBios inbound to you (presumably 195.50.79.0/24). This is not a complete ACL -- it will be necessary to either specifically allow the traffic you desire inbound, or add another line to the bottom (currently commented out) permitting everything else. access-list 101 deny udp any 195.50.79.0 0.0.0.255 eq netbios-dgm access-list 101 deny udp any 195.50.79.0 0.0.0.255 eq netbios-ns access-list 101 deny udp any 195.50.79.0 0.0.0.255 eq netbios-ss access-list 101 deny tcp any 195.50.79.0 0.0.0.255 eq 137 access-list 101 deny tcp any 195.50.79.0 0.0.0.255 eq 138 access-list 101 deny tcp any 195.50.79.0 0.0.0.255 eq 139 ! access-list 101 permit ip any any jas At 07:35 PM 1/17/01 +, Scott S. wrote: >Our WatchGuard FireBox seems to be getting overloaded by the number of >NetBios packets it is denying. We are thinking that it might be a good idea >of blocking these at our router instead. It is a Cisco 7200 with a pretty >light load. Does this sound like a sensible idea? If so I was thinking the >following rule would be appropriate: > >access-list 101 deny any 195.50.79.0 eq 137 > > >Is this correct, or am I way off? > > >Thanks in advance for any replies. > > >Sincerely, > >Scott > > >_ >FAQ, list archives, and subscription info: >http://www.groupstudy.com/list/cisco.html >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access Lists on a Cisco 7200
Woah! Make sure you do a permit any any first. Remember that there is an implicit deny any at the end of your access list! There shouldn't be a problem stopping NetBIOS at the router, a better example might look like below. Ex.: access-list 101 deny udp any any eq 137 access-list 101 permit any any HTH, Evan -Original Message- From: Scott S. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 17, 2001 1:36 PM To: [EMAIL PROTECTED] Subject: Access Lists on a Cisco 7200 Our WatchGuard FireBox seems to be getting overloaded by the number of NetBios packets it is denying. We are thinking that it might be a good idea of blocking these at our router instead. It is a Cisco 7200 with a pretty light load. Does this sound like a sensible idea? If so I was thinking the following rule would be appropriate: access-list 101 deny any 195.50.79.0 eq 137 Is this correct, or am I way off? Thanks in advance for any replies. Sincerely, Scott _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access Lists on a Cisco 7200
Hi If you need to pass VPN traffic you will need to add permits for GRE and ESP as well. HTH John Hardman CCNP MCSE+I "John Starta" <[EMAIL PROTECTED]> wrote in message 5.0.2.1.2.20010117135118.037b0d10@popcorn">news:5.0.2.1.2.20010117135118.037b0d10@popcorn... > Scott, > > The following example will block the full suite of NetBios inbound to you > (presumably 195.50.79.0/24). This is not a complete ACL -- it will be > necessary to either specifically allow the traffic you desire inbound, or > add another line to the bottom (currently commented out) permitting > everything else. > > access-list 101 deny udp any 195.50.79.0 0.0.0.255 eq netbios-dgm > access-list 101 deny udp any 195.50.79.0 0.0.0.255 eq netbios-ns > access-list 101 deny udp any 195.50.79.0 0.0.0.255 eq netbios-ss > access-list 101 deny tcp any 195.50.79.0 0.0.0.255 eq 137 > access-list 101 deny tcp any 195.50.79.0 0.0.0.255 eq 138 > access-list 101 deny tcp any 195.50.79.0 0.0.0.255 eq 139 > ! access-list 101 permit ip any any > > jas > > At 07:35 PM 1/17/01 +, Scott S. wrote: > >Our WatchGuard FireBox seems to be getting overloaded by the number of > >NetBios packets it is denying. We are thinking that it might be a good idea > >of blocking these at our router instead. It is a Cisco 7200 with a pretty > >light load. Does this sound like a sensible idea? If so I was thinking the > >following rule would be appropriate: > > > >access-list 101 deny any 195.50.79.0 eq 137 > > > > > >Is this correct, or am I way off? > > > > > >Thanks in advance for any replies. > > > > > >Sincerely, > > > >Scott > > > > > >_ > >FAQ, list archives, and subscription info: > >http://www.groupstudy.com/list/cisco.html > >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access Lists on a Cisco 7200
Remember, the fewer lines an ACL is, the faster it is parsed, the faster packets pass: access-list 101 deny udp any 195.50.79.0 0.0.0.255 range 137 139 access-list 101 deny tcp any 195.50.79.0 0.0.0.255 range 137 139 -- Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+ List email: [EMAIL PROTECTED] Homepage: http://jason.artoo.net/ Cisco resources: http://r2cisco.artoo.net/ "John Starta" <[EMAIL PROTECTED]> wrote in message 5.0.2.1.2.20010117135118.037b0d10@popcorn">news:5.0.2.1.2.20010117135118.037b0d10@popcorn... > Scott, > > The following example will block the full suite of NetBios inbound to you > (presumably 195.50.79.0/24). This is not a complete ACL -- it will be > necessary to either specifically allow the traffic you desire inbound, or > add another line to the bottom (currently commented out) permitting > everything else. > > access-list 101 deny udp any 195.50.79.0 0.0.0.255 eq netbios-dgm > access-list 101 deny udp any 195.50.79.0 0.0.0.255 eq netbios-ns > access-list 101 deny udp any 195.50.79.0 0.0.0.255 eq netbios-ss > access-list 101 deny tcp any 195.50.79.0 0.0.0.255 eq 137 > access-list 101 deny tcp any 195.50.79.0 0.0.0.255 eq 138 > access-list 101 deny tcp any 195.50.79.0 0.0.0.255 eq 139 > ! access-list 101 permit ip any any > > jas > > At 07:35 PM 1/17/01 +, Scott S. wrote: > >Our WatchGuard FireBox seems to be getting overloaded by the number of > >NetBios packets it is denying. We are thinking that it might be a good idea > >of blocking these at our router instead. It is a Cisco 7200 with a pretty > >light load. Does this sound like a sensible idea? If so I was thinking the > >following rule would be appropriate: > > > >access-list 101 deny any 195.50.79.0 eq 137 > > > > > >Is this correct, or am I way off? > > > > > >Thanks in advance for any replies. > > > > > >Sincerely, > > > >Scott > > > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access Lists on a Cisco 7200
Thanks everyone for helping out. I think Jason's suggestion along with the permit any/any line is probably the way to go for us. So basically, I will have the following: access-list 101 deny udp any 195.50.79.0 0.0.0.255 range 137 139 access-list 101 deny tcp any 195.50.79.0 0.0.0.255 range 137 139 access-list 101 permit ip any any Then, I will type the following: > en # config terminal (config) int Hssi1/0 (config-if) ip access-group 101 in I'm assumming I need the "in" part because the default appears to be out on the test router I am experimenting on and I want this to apply to incoming traffic. Is this correct? Thx again, Scott "J Roysdon" <[EMAIL PROTECTED]> wrote in message 946a0p$7vo$[EMAIL PROTECTED]">news:946a0p$7vo$[EMAIL PROTECTED]... > Remember, the fewer lines an ACL is, the faster it is parsed, the faster > packets pass: > access-list 101 deny udp any 195.50.79.0 0.0.0.255 range 137 139 > access-list 101 deny tcp any 195.50.79.0 0.0.0.255 range 137 139 > > -- > Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+ > List email: [EMAIL PROTECTED] > Homepage: http://jason.artoo.net/ > Cisco resources: http://r2cisco.artoo.net/ > > > "John Starta" <[EMAIL PROTECTED]> wrote in message > 5.0.2.1.2.20010117135118.037b0d10@popcorn">news:5.0.2.1.2.20010117135118.037b0d10@popcorn... > > Scott, > > > > The following example will block the full suite of NetBios inbound to you > > (presumably 195.50.79.0/24). This is not a complete ACL -- it will be > > necessary to either specifically allow the traffic you desire inbound, or > > add another line to the bottom (currently commented out) permitting > > everything else. > > > > access-list 101 deny udp any 195.50.79.0 0.0.0.255 eq netbios-dgm > > access-list 101 deny udp any 195.50.79.0 0.0.0.255 eq netbios-ns > > access-list 101 deny udp any 195.50.79.0 0.0.0.255 eq netbios-ss > > access-list 101 deny tcp any 195.50.79.0 0.0.0.255 eq 137 > > access-list 101 deny tcp any 195.50.79.0 0.0.0.255 eq 138 > > access-list 101 deny tcp any 195.50.79.0 0.0.0.255 eq 139 > > ! access-list 101 permit ip any any > > > > jas > > > > At 07:35 PM 1/17/01 +, Scott S. wrote: > > >Our WatchGuard FireBox seems to be getting overloaded by the number of > > >NetBios packets it is denying. We are thinking that it might be a good > idea > > >of blocking these at our router instead. It is a Cisco 7200 with a > pretty > > >light load. Does this sound like a sensible idea? If so I was thinking > the > > >following rule would be appropriate: > > > > > >access-list 101 deny any 195.50.79.0 eq 137 > > > > > > > > >Is this correct, or am I way off? > > > > > > > > >Thanks in advance for any replies. > > > > > > > > >Sincerely, > > > > > >Scott > > > > > > > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]