RE: Security for router connected to Cable Service pro [7:43322]

McHugh Randy Sun, 05 May 2002 11:16:15 -0700

I am using NAT with overload with a 2514 for my cable connection and it
works ok except I need to figure out how to be more granular with the ACL's
and the translation if I want to let certain types of traffic IN to my
network like to a web server. Here is long laundry list of access list
someone gave me . I have experimented with some of them. But be carefull you
can you lose your connection. hope this helps
access-list 1 permit 10.x.x.0 0.0.0.255
access-list 1300 permit 192.5.41.209
access-list 1300 permit 192.5.41.41
access-list 1300 permit 10.0.0.0 0.255.255.255
access-list 1300 deny   any log
access-list 199 permit udp host x.x.x.x any eq bootps           x.x.x.x = ISP Public
DHCP server address
access-list 199 permit udp host x.x.x.x any eq bootps           x.x.x.x = ISP Private
DHCP server address


access-list 199 permit udp host x.x.x.x any eq domain           x.x.x.x = ISP
Secondary DNS server address
access-list 199 permit udp host 192.5.41.41 any eq ntp
access-list 199 permit udp host 192.5.41.209 any eq ntp
access-list 199 deny   udp any any eq ntp log
access-list 199 deny   ip 10.0.0.0 0.255.255.255 any log
access-list 199 permit tcp any any eq echo established
access-list 199 permit tcp any any eq ftp established
access-list 199 permit tcp any any eq ftp-data established
access-list 199 permit tcp any any eq nntp established
access-list 199 permit tcp any any eq pop3 established
access-list 199 permit tcp any any eq smtp established
access-list 199 permit tcp any any eq www established
access-list 199 permit tcp any any eq 443 established
access-list 199 deny   udp any any eq netbios-dgm log
access-list 199 deny   udp any any eq netbios-ns log
access-list 199 deny   udp any any eq netbios-ss log
access-list 199 deny   udp any any eq bootpc log
access-list 199 deny   udp any any eq bootps log
access-list 199 deny   udp any any eq snmp log
access-list 199 deny   udp any any eq snmptrap log
access-list 199 deny   udp any any eq sunrpc log
access-list 199 deny   udp any any eq syslog log
access-list 199 deny   udp any any eq tacacs log
access-list 199 deny   udp any any eq talk log
access-list 199 deny   udp any any eq tftp log
access-list 199 deny   udp any any eq time log
access-list 199 deny   udp any any eq who log
access-list 199 deny   udp any any eq xdmcp log
access-list 199 deny   ip host 0.0.0.0 any log
access-list 199 deny   ip any host 0.0.0.0 log
access-list 199 deny   ip host 10.1.1.1 any log
access-list 199 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 199 deny   ip 169.254.0.0 0.0.255.255 any log
access-list 199 deny   ip 172.16.0.0 0.15.255.255 any log
access-list 199 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 199 deny   ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255
log
access-list 199 deny   ip any 255.255.255.0 0.0.0.255 log
access-list 199 deny   tcp any any eq telnet
access-list 199 deny   tcp any any eq 1661 log
access-list 199 deny   tcp any any eq 1662 log
access-list 199 deny   tcp any any eq 1663 log
access-list 199 deny   tcp any any eq 1664 log
access-list 199 deny   tcp any any eq 1665 log
access-list 199 deny   tcp any any eq 1666 log
access-list 199 deny   tcp any any eq 1667 log
access-list 199 deny   tcp any any eq 1668 log
access-list 199 deny   tcp any any eq 1669 log
access-list 199 deny   tcp any any eq 1670 log
access-list 199 deny   tcp any any eq 1671 log
access-list 199 deny   tcp any any eq 1672 log
access-list 199 deny   udp any any eq 1661 log
access-list 199 deny   udp any any eq 1662 log
access-list 199 deny   udp any any eq 1663 log
access-list 199 deny   udp any any eq 1664 log
access-list 199 deny   udp any any eq 1665 log
access-list 199 deny   udp any any eq 1666 log
access-list 199 deny   udp any any eq 1667 log
access-list 199 deny   udp any any eq 1668 log
access-list 199 deny   udp any any eq 1669 log
access-list 199 deny   udp any any eq 1670 log
access-list 199 deny   udp any any eq 1671 log
access-list 199 deny   udp any any eq 1672 log
access-list 199 permit ip any any
!
ntp source Ethernet0
ntp access-group peer 1300
ntp master 15
ntp server 192.5.41.41 source Ethernet0 prefer
ntp peer x.x.x.x source Ethernet1                       x.x.x.x is an internal box on 
my network
ntp server 192.5.41.209 source Ethernet0
end

Randy


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=43341&t=43322
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Security for router connected to Cable Service pro [7:43322]

Reply via email to