Cisco IOS 12.X Access-List setup

Cisco IOS 12.X Access-List setup

Post by Bill Lincol » Mon, 31 Jan 2000 04:00:00



Is this a good Access-List for a general firewall?   It's my first attempt
w/ Cisco, I have always worked w/ OpenRoute in the past.

Extended IP access list 100
    permit tcp any host 140.239.206.131 eq www (34 matches)
    permit tcp any host 140.239.206.131 eq smtp (9430 matches)
    permit tcp any host 140.239.174.131 eq smtp
    permit tcp any host 140.239.206.135 eq 1723
    permit udp any host 140.239.206.135 eq 1723
    permit gre any host 140.239.206.135
    permit icmp any any echo (8572 matches)
    permit icmp any any echo-reply (47 matches)
    permit udp any host 140.239.206.133 eq domain (102 matches)
    permit udp any host 140.239.206.132 eq domain (899 matches)
    permit tcp any host 140.239.179.58 eq telnet (1850 matches)
    permit tcp any host 140.239.174.131 eq www (1212 matches)
    permit tcp any any established (39357 matches)

--
-=-=-=-=-=-=-=-=-=-=-
Bill Lincoln
Network Engineer
Teleco-Boston
Phone: 781-551-9200 / Fax: 781-551-0087

 
 
 

Cisco IOS 12.X Access-List setup

Post by Bert Boerlan » Mon, 31 Jan 2000 04:00:00



> Is this a good Access-List for a general firewall?

no matter what people say, a router is *not* a firewall. witch ip
inspect, nat and good acl's you can get pretty secure though.

Quote:> Extended IP access list 100

better to have an extende acl.

Quote:>     permit tcp any host 140.239.206.131 eq www (34 matches)

you might want to have an entry for 443 (https) also

Quote:>     permit icmp any any echo (8572 matches)
>     permit icmp any any echo-reply (47 matches)

dont allow icmp within your network unless you *have* to.

just my dime.

--
Groets,

bert boerland

        -<a href="file:///dev/null">:-p</a>-
---------------------------------------------------
            Stock symbol "FSCK", anyone?
http://boerland.com     mailto:bertATboerlandDOTcom
---------------------------------------------------

 
 
 

Cisco IOS 12.X Access-List setup

Post by Bill Lincol » Mon, 31 Jan 2000 04:00:00


"> no matter what people say, a router is *not* a firewall. witch ip

Quote:> inspect, nat and good acl's you can get pretty secure though.

Aggreed

Quote:> > Extended IP access list 100

> better to have an extende acl.

what do you mean extende acl?

Quote:

> >     permit tcp any host 140.239.206.131 eq www (34 matches)

> you might want to have an entry for 443 (https) also

> >     permit icmp any any echo (8572 matches)
> >     permit icmp any any echo-reply (47 matches)

> dont allow icmp within your network unless you *have* to.

Well, ICMP (Ping) is an important troubleshooting tool, I HAVE to allow it
to my router because the ISP requires it..  You recomend limiting it to ONLY
the router?
Quote:

> just my dime.

> --
> Groets,

> bert boerland

>         -<a href="file:///dev/null">:-p</a>-
> ---------------------------------------------------
>             Stock symbol "FSCK", anyone?
> http://boerland.com     mailto:bertATboerlandDOTcom
> ---------------------------------------------------

 
 
 

Cisco IOS 12.X Access-List setup

Post by Dennis Hes » Sun, 06 Feb 2000 04:00:00


I would suggest putting the last line first as you are having the largest
portion of the hits on that line.  That will save CPU cycles as processing
on the packet stops when a match is made.  In your example all the
established packets are processed to the last line when then could be on
their way a lot sooner.  Put smtp as the second line.

D


Quote:> Is this a good Access-List for a general firewall?   It's my first attempt
> w/ Cisco, I have always worked w/ OpenRoute in the past.

> Extended IP access list 100
>     permit tcp any host 140.239.206.131 eq www (34 matches)
>     permit tcp any host 140.239.206.131 eq smtp (9430 matches)
>     permit tcp any host 140.239.174.131 eq smtp
>     permit tcp any host 140.239.206.135 eq 1723
>     permit udp any host 140.239.206.135 eq 1723
>     permit gre any host 140.239.206.135
>     permit icmp any any echo (8572 matches)
>     permit icmp any any echo-reply (47 matches)
>     permit udp any host 140.239.206.133 eq domain (102 matches)
>     permit udp any host 140.239.206.132 eq domain (899 matches)
>     permit tcp any host 140.239.179.58 eq telnet (1850 matches)
>     permit tcp any host 140.239.174.131 eq www (1212 matches)
>     permit tcp any any established (39357 matches)

> --
> -=-=-=-=-=-=-=-=-=-=-
> Bill Lincoln
> Network Engineer
> Teleco-Boston
> Phone: 781-551-9200 / Fax: 781-551-0087