Access List

jeddah55

hi , i make this extended access list in my lab , but theres some thing wrong .


10 deny tcp host 192.168.1.108 range 3380 3399 host 192.168.2.1 log-input
20 permit tcp any any log-input (1098 matches)

i wante to deny the host ( 192.168.1.108 ) form access the Host ( 192.168.2.1 ) from the MS Remote Desk top , that is by default using the port TCP 3389 ,

every time i try to connect is connecting , and the router give me the sysMsg that the host a connected to host b .

---

*Mar 1 03:26:20.048: %SEC-6-IPACCESSLOGP: list 110 permitted tcp 192.168.2.1(3389) (Ethernet0/0 000d.6025.3861) -> 192.168.1.108(4925), 279 packets

---

how can i stop this Remot ??????

meadIT

jeddah55 wrote: »

10 deny tcp host 192.168.1.108 range 3380 3399 host 192.168.2.1 log-input
20 permit tcp any any log-input (1098 matches)

Shouldn't the syntax be:

deny tcp host 192.168.1.108 host 192.168..2.1 eq range 3380 3399 log-input

Configuring Commonly Used IP ACLs - Cisco Systems

kalebksp

That access list is denying 192.168.1.108 from connecting to 192.168.2.1 with the outgoing ports of 3380-3399. You should configure it like this:

deny tcp host 192.168.1.108 host 192.168.2.1 range 3380 3399 log-input

jeddah55

thank you its working ,

but why when you go to ;

R0(config)#access-list 110 deny tcp host 192.168.1.108 ?
A.B.C.D Destination address
any Any destination host
eq Match only packets on a given port number
gt Match only packets with a greater port number
host A single destination host
lt Match only packets with a lower port number
neq Match only packets not on a given port number
range Match only packets in the range of port numbers

its give you , the port rang before you type the destination host number ?

kalebksp

That's if you want to match the source ports, rather than the destination ports.