Sign in with
Sign up | Sign in
Your question

Block 1433 port with access list for specific ip address

Last response: in Networking
Share
January 2, 2012 11:07:16 AM

I want to block the sql port access of my server to all except few of my ip addresses with the help of access list on Cisco Router IOS how do i do that.
January 3, 2012 8:26:56 PM

hi, rajesh-
some more information about your network would enable me to give you a more complete answer, but for now the basic syntax of an access-list on cisco equipment is:

access-list [number] permit/deny [ip/tcp/udp] source network/host destination network host

i found a good (and free) video tutorial on how to configure access-lists here: http://www.bosscbt.tv/icnd2/intro-to-access-lists/

good luck!
m
0
l
January 4, 2012 12:32:48 PM

Dear 1sAND0s

Below is the syntax i am using in which i want few of my external ip's to access sql port (1433) on my server and rest should be blocked the access to port 1433.

ip access-list extended WAN permit tcp host X.X.X.X host server ip eq 1433
ip access-list extended WAN deny tcp any host server ip eq 1433

ip access-group WAN in (on my router interface.)

if i am applying the above access-list the server ip stops responding from outside network.

Please help me in that so that i can apply the same and hope it works.

Thanks in adavance.
m
0
l
January 24, 2012 12:21:31 AM

hello,
so it looks like you are enabling access correctly to the server on tcp port 1433.

ip access-list extended WAN permit tcp host [external host ip] [server ip] eq 1433.

and then you explicitly block everyone to the same server on tcp 1433. that second line actually isn't necessary because there is an implicit deny at the end of every access-list, so everything gets denied that hasn't already been explicitly permitted.

i suspect you might need more ports open (but i say that not knowing what you're doing with this sql server. so you might want to start by applying this acl:

ip access-list extended WAN permit ip any [server ip] log

this will log all traffic that's going to the server - this will let you know if your external hosts are in need of more ports (just check the router logs).

you can apply a similar access-list to the interface closest to the sql server - again permit the server to talk to anyone and log it. look in the logs to see what ports the server needs open.

finally, where you apply the access-list matters... A LOT :)  decide if it should be on an external facing interface, on the internal, or one for each (depends on how tightly you want to lock things down).

when in doubt, look at your traffic to see what's going on (logging the acl or a packet capture).

did you check out the access-list tutorial? i know they have several more that cover more advanced access-list issues.

good luck!

:) 


rajesh_dongre said:
Dear 1sAND0s

Below is the syntax i am using in which i want few of my external ip's to access sql port (1433) on my server and rest should be blocked the access to port 1433.

ip access-list extended WAN permit tcp host X.X.X.X host server ip eq 1433
ip access-list extended WAN deny tcp any host server ip eq 1433

ip access-group WAN in (on my router interface.)

if i am applying the above access-list the server ip stops responding from outside network.

Please help me in that so that i can apply the same and hope it works.

Thanks in adavance.

m
0
l
!