Cisco 1700

Discussion in 'Cisco' started by IshmaelDS, Jul 28, 2006.

  1. IshmaelDS

    IshmaelDS Guest

    I have a cisco 1700 running IOS 12.1(8). It is running as the gateway
    between us and our ISP They have given me the username/password for the
    1700 and I am trying to setup a deny for port 6881 in and out. But
    everytime i set it up it cuts our DNS. I'm at a loss. I haven't used
    any cisco stuff in a long time and can't seem to find out what I'm
    doing wrong. the command I tried was this

    router(config)#access-list 110 deny tcp any any eq 6881
    router(config-if)#ip access-group 110 in

    and at that point our net goes down. I get cut from the telnet session
    i'm in and I have to reset the router. any help? I also tried:

    router(config)#access-list 110 deny tcp any #.#.#.# 0.0.0.0 eq 6881
    (where the # is our IP)
    router(config-if)#ip access-group 110 in

    Please can someone help me? We are getting a flood of 6881 syn packets
    from a huge number of sources. At first I thought it was BitTorrent
    but it has been continuing for 3 days now and I have checked every
    machine and we have no BT clients running.
    IshmaelDS, Jul 28, 2006
    #1
    1. Advertising

  2. IshmaelDS

    flamer Guest

    IshmaelDS wrote:

    > I have a cisco 1700 running IOS 12.1(8). It is running as the gateway
    > between us and our ISP They have given me the username/password for the
    > 1700 and I am trying to setup a deny for port 6881 in and out. But
    > everytime i set it up it cuts our DNS. I'm at a loss. I haven't used
    > any cisco stuff in a long time and can't seem to find out what I'm
    > doing wrong. the command I tried was this
    >
    > router(config)#access-list 110 deny tcp any any eq 6881
    > router(config-if)#ip access-group 110 in
    >
    > and at that point our net goes down. I get cut from the telnet session
    > i'm in and I have to reset the router. any help? I also tried:
    >
    > router(config)#access-list 110 deny tcp any #.#.#.# 0.0.0.0 eq 6881
    > (where the # is our IP)
    > router(config-if)#ip access-group 110 in
    >
    > Please can someone help me? We are getting a flood of 6881 syn packets
    > from a huge number of sources. At first I thought it was BitTorrent
    > but it has been continuing for 3 days now and I have checked every
    > machine and we have no BT clients running.


    There is an implicit deny any any at the bottom of every access-list,
    doing it the way you are doing it you just need to add in access-list
    110 allow ip any any, make sure to remove the rule then paste them both
    in at the same time because the allow rule must be at the bottom.

    Flamer.
    flamer , Jul 28, 2006
    #2
    1. Advertising

  3. IshmaelDS

    flamer Guest

    IshmaelDS wrote:

    > I have a cisco 1700 running IOS 12.1(8). It is running as the gateway
    > between us and our ISP They have given me the username/password for the
    > 1700 and I am trying to setup a deny for port 6881 in and out. But
    > everytime i set it up it cuts our DNS. I'm at a loss. I haven't used
    > any cisco stuff in a long time and can't seem to find out what I'm
    > doing wrong. the command I tried was this
    >
    > router(config)#access-list 110 deny tcp any any eq 6881
    > router(config-if)#ip access-group 110 in
    >
    > and at that point our net goes down. I get cut from the telnet session
    > i'm in and I have to reset the router. any help? I also tried:
    >
    > router(config)#access-list 110 deny tcp any #.#.#.# 0.0.0.0 eq 6881
    > (where the # is our IP)
    > router(config-if)#ip access-group 110 in
    >
    > Please can someone help me? We are getting a flood of 6881 syn packets
    > from a huge number of sources. At first I thought it was BitTorrent
    > but it has been continuing for 3 days now and I have checked every
    > machine and we have no BT clients running.


    Oh and also, what ip address have you actually specified, why not block
    this traffic to all ip addresses? deny tcp any any eq 6881

    Flamer.
    flamer , Jul 28, 2006
    #3
  4. IshmaelDS

    Guest

    > IshmaelDS wrote:
    >
    > > router(config)#access-list 110 deny tcp any any eq 6881
    > > router(config-if)#ip access-group 110 in


    access-list 110 deny tcp any any eq 6881

    is equivalent to

    no access-list 110
    access-list 110 deny tcp any any eq 6881
    access-list 110 deny ip any any


    What you want I imagine is

    no access-list 110
    access-list 110 deny tcp any any eq 6881
    access-list 110 permit ip any any
    , Jul 28, 2006
    #4
  5. IshmaelDS

    IshmaelDS Guest

    Sweet I'll try that later today. Thank you both so much. I knew it
    was something simple. Sigh, Guess this is why you should keep your
    notes. I'm pretty sure that will work though. I'll let you know. Oh
    and the reason I was blocking to a specific IP was because that is the
    only one that is getting spammed.
    wrote:
    > > IshmaelDS wrote:
    > >
    > > > router(config)#access-list 110 deny tcp any any eq 6881
    > > > router(config-if)#ip access-group 110 in

    >
    > access-list 110 deny tcp any any eq 6881
    >
    > is equivalent to
    >
    > no access-list 110
    > access-list 110 deny tcp any any eq 6881
    > access-list 110 deny ip any any
    >
    >
    > What you want I imagine is
    >
    > no access-list 110
    > access-list 110 deny tcp any any eq 6881
    > access-list 110 permit ip any any
    IshmaelDS, Jul 28, 2006
    #5
  6. IshmaelDS

    IshmaelDS Guest

    It worked. Thanks very much.
    IshmaelDS wrote:
    > Sweet I'll try that later today. Thank you both so much. I knew it
    > was something simple. Sigh, Guess this is why you should keep your
    > notes. I'm pretty sure that will work though. I'll let you know. Oh
    > and the reason I was blocking to a specific IP was because that is the
    > only one that is getting spammed.
    > wrote:
    > > > IshmaelDS wrote:
    > > >
    > > > > router(config)#access-list 110 deny tcp any any eq 6881
    > > > > router(config-if)#ip access-group 110 in

    > >
    > > access-list 110 deny tcp any any eq 6881
    > >
    > > is equivalent to
    > >
    > > no access-list 110
    > > access-list 110 deny tcp any any eq 6881
    > > access-list 110 deny ip any any
    > >
    > >
    > > What you want I imagine is
    > >
    > > no access-list 110
    > > access-list 110 deny tcp any any eq 6881
    > > access-list 110 permit ip any any
    IshmaelDS, Aug 1, 2006
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Darren Lynn

    cisco 1700 to CVPN 5001 concentrator

    Darren Lynn, Dec 15, 2003, in forum: Cisco
    Replies:
    0
    Views:
    403
    Darren Lynn
    Dec 15, 2003
  2. Jason

    VPN behind Cisco 1700

    Jason, Jan 6, 2004, in forum: Cisco
    Replies:
    0
    Views:
    567
    Jason
    Jan 6, 2004
  3. John

    Cisco 1700 Series IPSEC VPN

    John, Jan 25, 2004, in forum: Cisco
    Replies:
    3
    Views:
    6,329
    Harri Suomalainen
    Jan 26, 2004
  4. Geremy Meyers

    Cisco 1700 to Ascend router...ISDN

    Geremy Meyers, Feb 28, 2004, in forum: Cisco
    Replies:
    0
    Views:
    515
    Geremy Meyers
    Feb 28, 2004
  5. Kevin Hill

    Cisco 1600 vs Cisco 1700

    Kevin Hill, Jul 13, 2004, in forum: Cisco
    Replies:
    1
    Views:
    720
Loading...

Share This Page