justin,
first of all, the sequence of events you've been told is horseshit...
first of all DO NOT !! apply access-groups to non-existant or incomplete
interfaces, this is a bad idea. ask a CCxx and watch those eyes light up as
in 'deny any any' until you get the acl done.
load it on the router before you apply it to the interface.
in building your access-list from secure stanpoint...
block those pesky rfc1918's....first
no access-list 100
access-list 100
**preface lines below with access-list 100
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
then allow tcp established back in...
permit tcp any 120.120.x.x 0.0.255.255 established
then block a lot of non-essential udp stuff...
deny udp any any eq 2049 log
deny udp any any eq 31337 log
then permit service related udp's
permit udp host x.x.x.x x.x.x.x gt 1023
permit udp host x.x.x.x x.x.x.x eq 53
permit tcp host x.x.x.x x.x.x.x 0.0.0.255 eq 25 ! smtp
then start making most specific permits and denials as needed
with logging where needed
it an exact science, not guess work...
>From: "Network Operations" <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>
>Subject: Re: cisco access-lists
>Date: Thu, 24 Aug 2000 11:07:18 -0700
>
>Hi Justin,
>
>You created the ACL (below) in config mode, next you need to go into
>interface config mode by typing 'int E0 or Int S0' (or whatever your
>interface
>you want to filter on and type the following:
>
>ip access-group 103 in (or "out" if you're trying to enable an outgoing
>ACL)
>
>Next you need to filter All rfc1918 addresses AND filter incomming
>(Spoofed)
>traffic sourced from you internal network.
>
>here's a web site you may want to check out:
>
>http://www.cisco.com/warp/public/707/21.html
>
>
>cheers..
>
>
>
>
>
> >>> Justin Tamakawa <[EMAIL PROTECTED]> 08/24/00 10:09AM >>>
>I'm having a problem with my access-list for my cisco router. Let me give
>you my exact acess-list :
>
>access-list 103 permit tcp any any eq 80 (Web)
>access-list 103 permit tcp any any eq 443 (secure web(cybercash, kmart,
>etc))
>access-list 103 permit tcp any any eq 25 (SMTP)
>access-list 103 permit tcp any any eq 21 (FTP)
>access-list 103 permit tcp any any eq 23 (Telnet)
>access-list 103 permit tcp any any eq 5190 (AIM)
>access-list 103 permit tcp any any eq 7070 (Realaudio)
>access-list 103 permit tcp any any eq 53 (DNS)
>access-list 103 permit ip 216.*.*.* 0.0.0.0 any
>access-list 103 permit ip 216.*.*.* 156 0.0.0.0 any
>access-list 103 permit ip 63.*.*.* 0.0.0.0 any
>access-list 103 permit tcp any any eq 106
>access-list 103 permit udp any any eq 106
>access-list 103 permit tcp any any eq 109
>access-list 103 permit udp any any eq 109
>access-list 103 permit tcp any any eq 110
>access-list 103 permit udp any any eq 110
>access-list 103 permit tcp any any eq 554
>access-list 103 permit tcp any any eq 7070
>access-list 103 permit tcp any any eq 8080
>access-list 103 permit tcp any any eq 9090
>access-list 103 permit tcp any any eq 8181
>
>Of Course what is in the parenthesis is not included in the list. For some
>reason, the workers in my LAN don't have access to the www, among other
>things. What am I doing wrong? I am allowing tcp port 80, from anywhere
>to
>anywhere, so I can't see what the problem is. Oh - by the way, this is on
>my line coming in the the web.
>Any help is definitely appreciated!
>
>Thanks a MILLION,
>
>Justin
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
Share information about yourself, create your own public profile at
http://profiles.msn.com.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
