Howard,
The architecture of a security perimeter depends a lot on your
particular policies, so you should really do some research on what
sorts of traffic you want to allow in and out of your network.
However, a quick and dirty solution that should work for most small
networks like you describe is:
outside interface (typically a serial interface)
ip access-group 101 in
ip access-list 101 permit tcp any host <web server ip> eq 80
ip access-list 101 permit tcp any host <web server ip> eq 443
ip access-list 101 permit tcp any any gt 1023 established
ip access-list 101 permit udp any eq 53 any gt 1023
You may want to also take a look at phrack issue 55 at
phrack.infonexus.com, there is a pretty decent paper on securing a
cisco router: "building bastion routers with ios". If you need more
info on access-lists in general you may also want to take a look at
the cisco IOS documentation or "Cisco Access List Field Guide" of
which I am co-author.
HTH,
Kent
On 27 Feb 2001, at 15:41, Howard Yuan wrote:
> Hi,
>
> I'm trying to put a firewall into my company's router. They have a
> webserver which hosts their webpage and every computer on the Internet
> has the ability to see the Internet through the router. What lines
> would I need to put into an access-list to keep the webserver seen and
> reachable, and allow the other computers on the network to be able to
> see the Internet? Which side should I put the access-list on? Inbound
> or outbound? Thank you in advanced.
>
> Howard
>
>
> _________________________________
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html Report misconduct and
> Nondisclosure violations to [EMAIL PROTECTED]
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
