Cisco ACLs & Windows file shares – What ports need to be open?

I had a situation recently where I had to allow access to Windows file shares on one subnet from Linux systems that are on a different subnet. No problem except that there was a Cisco 1811 router in the way that is locked down pretty tight. Some ports needed to be open but which ones?

Firstly, a small disclaimer. I’m not a CCNA or Cisco expert by any means … far from it. The stuff below worked for me but feel free to comment if you want to point out things that I did wrong.

Answer:

TCP/139 (netbios-ssn)
TCP/445 (microsoft-ds)
UDP/138 (netbios-dgm)

By Default Cisco ACLs will implement a “deny ip any any” rule at the end of the ACL, regardless of whether or not you specify one. I always specify one, just to make sure I’m the one controlling it. Call me paranoid …

Assumptions:

- Your Linux clients’ network is connected to FastEthernet 1 (FE1)
- Your Windows file server’s network is connected to FastEthernet 0 (FE0)
- You have an extended ACL applied to FE0 interface on the “in” direction called FE0_In
- You have an extended ACL applied to the FE1 interface on the “in” direction called FE1_In
- You’ve got a manually-added “deny ip any any” rule at the bottom of each ACL
- You want to allow Windows file share access to a single host with IP address 192.168.1.10

To allow the above ports and thereby allow access to Windows file shares you need to issue the following commands. Note that these commands can’t allow for any other rules you have in your ACLs as these will be site-specific.

That sorts out the FE0_In ACL. To mirror the configuration for the FE1_In ACL, issue the following commands. I’m assuming you’re still in config mode at this point.

There are a couple of ways to view the contents of these 2 access lists to make sure they’re ok.

From within configuration mode:
do sh ip access-list FE0_In
and
do sh ip access-list FE1_In

From outside configuration mode:
sh ip access-list FE0_In
and
sh ip access-list FE1_In

Once you’ve tested the configuration, save the running configuration to the startup configuration by issuing the following command from within configuration mode.

Sorted.

Related posts:

1. Old school DOS command for file clean-up It’s time for a bit of a step back now...
2. How to perform an unattended installation of SNMP on Windows Server 2003 Continuing with the recent history of unattended installation articles, this...
3. Post-build Windows unattended installation script The last few articles on Digital Formula have been about...
4. Follow Up – Post-build Windows unattended installation script Back in June 2008 I posted an article about running...
5. Allow PING requests to reach Windows Vista In Windows XP SP2 it was a pretty simple case...