Access-List for Internet router Security

Discussion in 'Cisco' started by Ciscohite, Apr 25, 2012.

  1. Ciscohite

    Ciscohite Guest

    I would say this post is dedicated to Rohit as he is the one who requested for this and also gave me some food for thought because I hardly put some configurations on blog since My major focus remains on network designing. but I must say I enjoyed doing this and will try to post configurations more often, rather I would be thankful to all of you, if you can suggest me withthe configurations I should be posting.

    For those who missed the security policies post - Catch It Here


    So, here it goes for the Network Diagram & ACL configuration for the post we discussed last time -


    eBrahma - ACL Network Diagram


    Configuration -


    Router#configure terminal
    !Add anti-spoofing entries.
    !Deny special-use address sources.
    !Refer to RFC 3330 for additional special use addresses.
    Router(config)#access-list 110 deny ip 127.0.0.0 0.255.255.255 any
    Router(config)#access-list 110 deny ip 192.0.2.0 0.0.0.255 any
    Router(config)#access-list 110 deny ip 224.0.0.0 31.255.255.255 any
    Router(config)#access-list 110 deny ip host 255.255.255.255 any
    !The deny statement below should not be configured
    !on Dynamic Host Configuration Protocol (DHCP) relays.
    Router(config)#access-list 110 deny ip host 0.0.0.0 any
    !Filter RFC 1918 space.
    Router(config)#access-list 110 deny ip 10.0.0.0 0.255.255.255 any
    Router(config)#access-list 110 deny ip 172.16.0.0 0.15.255.255 any
    Router(config)#access-list 110 deny ip 192.168.0.0 0.0.255.255 any
    !Permit Border Gateway Protocol (BGP) to the edge router.
    Router(config)#access-list 110 permit tcp host bgp_peer IP gt 1023 host edge
    router_ip eq bgp
    Router(config)#access-list 110 permit tcp host bgp_peer IP eq bgp host edge
    router_ip gt 1023
    !Deny your space as source (as noted in RFC 2827).
    Router(config)#access-list 110 deny ip your Internet-routable subnet any
    !Explicitly permit return traffic. Allow specific ICMP types.
    Router(config)#access-list 110 permit icmp any any echo-reply
    Router(config)#access-list 110 permit icmp any any unreachable
    Router(config)#access-list 110 permit icmp any any time-exceeded
    Router(config)#access-list 110 deny icmp any any
    !Outgoing DNS queries are shown below.
    Router(config)#access-list 110 permit udp any eq 53 host primary DNS serverIP gt
    1023
    !Permit older DNS queries and replies to primary DNS server.
    Router(config)#access-list 110 permit udp any eq 53 host primary DNS serverIP eq 53
    !Permit legitimate business traffic.
    Router(config)#access-list 110 permit tcp any Internet-routable subnet established
    Router(config)#access-list 110 permit udp any range 1 1023 Internet-routable subnet
    gt 1023
    !Internet-sourced connections to publicly accessible servers are shown below
    Router(config)#access-list 110 permit tcp any host public web server IP eq 80
    Router(config)#access-list 110 permit tcp any host public web server IP eq 443
    Router(config)#access-list 110 permit tcp any host public FTP server IP eq 21
    !Data connections to the FTP server are allowed
    !by the permit established ACE.
    !Allow PASV data connections to the FTP server.
    Router(config)#access-list 110 permit tcp any gt 1023 host public FTP server IP gt
    1023
    Router(config)#access-list 110 permit tcp any host public SMTP server IP eq25
    !Explicitly deny all other traffic.
    Router(config)#access-list 101 deny ip any any



    For those who missed the security policies post - Catch It Here



    You might also like these recent post -

    Voice over IP (VoIP) - Solutions Case Study - Read This
    IPv6 Benefits - Its more than just larger address space - Read This
    Spanning Tree Protocol (STP) - The Necessary Evil - Read This
    Five Most Commonly used Networking Technologies - Read This
    Understanding Five Nines of Uptime - Read This

    for more - http://www.ebrahma.com
     
    Ciscohite, Apr 25, 2012
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. PS2 gamer
    Replies:
    6
    Views:
    7,250
    Hansang Bae
    Jun 9, 2004
  2. paeengi8
    Replies:
    0
    Views:
    854
    paeengi8
    Jun 25, 2007
  3. Southern Kiwi
    Replies:
    6
    Views:
    2,340
    Southern Kiwi
    Mar 19, 2006
  4. Jim Watt
    Replies:
    0
    Views:
    630
    Jim Watt
    Apr 27, 2008
  5. Giuen
    Replies:
    0
    Views:
    1,506
    Giuen
    Sep 12, 2008
Loading...

Share This Page