 | View Full Version : IOS Experts ServerCentreLtd 10-22-2002, 09:34 AM Hi All, My brain has died:bawling: Can somebody remind me of the IOS commands to block access to NetBIOS ports at the router. Cisco 3620 IOS ver 12.2 TIA Lagniappe-labgeek 10-22-2002, 09:54 AM edit - Here's this may help more http://www.cisco.com/warp/public/698/acl200.html Filtering NetBIOS NetBIOS traffic uses SAP values 0xF0 (for commands) and 0xF1 (for responses). Typically, network administrators use these SAP values to filter this protocol. The access list entry depicted below permits NetBIOS traffic and denies everything else (remember the implicit "deny all" at the end of each ACL): access-list 200 permit 0xF0F0 0x0101 Using the same procedure shown in the previous section, you can determine that the above ACL permits the following Saps: 0xF0 and 0xF1. On the other hand, if the requirement is to block NetBIOS and allow the rest of the traffic, use this ACL: access-list 200 deny 0xF0F0 0x0101 access-list 200 permit 0x0000 0xFFFF ServerCentreLtd 10-22-2002, 10:22 AM Thanks labgeek, Yes I want to block all NetBIOS traffic at the router. ServerCentreLtd 10-28-2002, 09:19 AM I have added the above acl's, however when I scan my network I can see see the ports. I currently have all netbios turned off. However I would like to use NetBIOS for backup perposes. Is it possible to drop connections at the router for the following ports 137,138,139 and 445 So that it is 'safe' to enable NetBIOS. I is it better to just forget NetBIOS and find another backup method Regards Lagniappe-labgeek 10-28-2002, 01:10 PM here's a access list that should work to block ports instead of SAP packets. router(config)#access-list 101 deny ip any any eq 137 router(config)#access-list 101 deny ip any any eq 138 router(config)#access-list 101 deny ip any any eq 139 router(config)#access-list 101 deny ip any any eq 445 router(config)#Interface (the external if) router(config-if)#ip access-group 101 in Lagniappe-labgeek 10-28-2002, 01:14 PM http://www.ja.net/CERT/JANET-CERT/prevention/cisco/cisco_acls.html ServerCentreLtd 10-28-2002, 01:19 PM Thanks again clockwork 10-28-2002, 02:44 PM I opened this thread expecting some insanely difficult question... that's 101 of basic access-list functions, geez ;) ServerCentreLtd 10-28-2002, 02:54 PM I know! I just wanted to check what I was doing was correct, before I get the "Cisco guy" round to check everything (Less hours he spends round here the cheaper it is for me!:D ) Best Regards Jay Suds 10-28-2002, 03:29 PM You will also want to block port 135 (MS RPC server) as there is a new, nasty DoS attack out for Win2K SP3 that operates by crashing the RPC service. |