Oops, typo, that line should have read:
deny ip any (i.e. anti-spoofing)
Also, the UDP permits should have read:
permit udp host eq 53 any gt 1023
The rest is correct, you always want to block bogus IP packets first, no
packets should enter the network claiming to be from your internal network
or from unroutable address space.
Regards,
Kent
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Wilson, Bradley
Sent: Monday, August 06, 2001 10:30 AM
To: [EMAIL PROTECTED]
Subject: RE: Access-list [7:14755]
Wouldn't you want to put the tcp/udp permits before the ip denys?
access-list 101 permit udp host eq 53 any gt 1023
access-list 101 permit udp host eq 53 any gt 1023
access-list 101 permit tcp any eq www any established
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip any
Otherwise, I think the "deny ip any" would deny any higher-layer traffic
from getting through.
-----Original Message-----
From: Kent Hundley [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 06, 2001 1:16 PM
To: [EMAIL PROTECTED]
Subject: RE: Access-list [7:14755]
The most basic config is:
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip any
(these block bogus packets, you should always have these for Internet facing
routers)
access-list 101 permit udp host eq 53 any gt 1023
access-list 101 permit udp host eq 53 any gt 1023
access-list 101 permit tcp any eq www any established
and then:
interface serial 0 (or whatever is your Internet facing interface)
ip access-group 101 in
You'll need to permit additional things if you want your users to be able to
ping and traceroute. There's also certain ICMP packets that you should
probably allow in as well. You might also want to consider using the
Firewall Feature Set (FFS) to get stateful inspection capability on the
router.
I would recommend looking at the security docs on the Cisco site or getting
a good book on access-lists. I happen to think that "Cisco Access Lists
Field Guide" is pretty good, but then I'm biased since I'm co-author. :-)
HTH,
Kent
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Thomas
Sent: Thursday, August 02, 2001 11:08 PM
To: [EMAIL PROTECTED]
Subject: Access-list [7:14755]
Hi All,
On my internet router, I would like to deny everything but allow HTTP
traffic to get to the outside world and return to the host inside the LAN.
I really have difficulty with the access list. Could you please help me
out. BTW, I am running PAT (port address translation) on this router.
Thanks All in advance!
Thomas
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=15143&t=14755
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
