Hi,
I'm sure this has probably been covered in the archives, and what I have
searched isnt exactly what I need.
I've got a 2611 (12.0) and I'm trying to configure my router to provide me
with a secure network. 2 mailservers and 2 DNS machines and about 12
workstations and 4 routers.
What I'm trying to do is make my network completely invisible to the outside
world. When someone scans my IP range they will see nothing. However my
inside traffic should have no problems accessing anything anywhere.
I also want to block certain ports, for some reason my unix machines like to
advertise ldap 389 and i want to completely block that from being seen
outside.
Currently if you scan my network you'll see:
|___ 22 ssh
|___ 25 Antigen
|___ 53 domain
|___ 80 Executor
|___ 110 pop3
|___ 389 ldap
|___ 1002
I would like to close certain ports on the cisco for outgoing traffic, and
make anyone portscanning me see nothing open.
I've spend a huge amount of time on CCO but still havent found what I want.
Any suggestions?
Thanks
Brandon
I currently have applied this config:
ip subnet-zero
no ip source-route
no ip finger
no ip source-route
ip route 0.0.0.0 0.0.0.0 Null0 255
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip 255.0.0.0 0.255.255.255 any log
access-list 101 deny ip 224.0.0.0 7.255.255.255 any log
access-list 101 permit icmp any any host-unreachable
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any ttl-exceeded
access-list 101 deny tcp any any eq ident
access-list 101 deny ip any any log
access-list 102 permit tcp any host (mailserver 1) eq smtp
access-list 102 permit tcp any host (mailserver 2) eq smtp
access-list 102 deny ip any any log
access-list 103 deny ip 192.168.0.0 0.0.255.255 any log
access-list 103 deny ip 172.16.0.0 0.15.255.255 any log
access-list 103 deny ip 10.0.0.0 0.255.255.255 any log
access-list 103 deny ip any 192.168.0.0 0.0.255.255 log
access-list 103 deny ip any 172.16.0.0 0.15.255.255 log
access-list 103 deny ip any 10.0.0.0 0.255.255.255 log
access-list 103 permit ip any any
access-list 104 deny tcp any any eq finger
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=17864&t=17864
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]