Replace Linksys with Cisco 2514 - Access lists

Unanswered Question
Aug 24th, 2007
User Badges:

Hi,


I want to replace my old Linksys with a Cisco 2514 on my home Internet connection and don't have any information as to what to permit/deny and on what interface and any additional security related interface commands. Any help would be greatly appreciated. Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
steve.busby Sat, 08/25/2007 - 08:43
User Badges:
  • Silver, 250 points or more

Generally speaking you probably don't want to limit what your inside users access on the internet. In your case you simply want to keep the bad guys out of your network (including your router).


Basically, the simplest ACL you would need would be a standard inbound ACL on your internet facing interface which denies all inbound traffic, but allows all outbound.


Something like this:


access-list 1 deny any


interface e0 <--Change this to your actual interface

description Internet_Interface

access-group 1 inbound <--applies ACL to interface


Now if you have services you provide inside your network (such as a web server) you will need an extended ACL:


access-list 101 permit tcp any host web server IP address eq 80

access-list 101 deny ip any any


Remember there is an implicit deny at the end of an ACL, but I llke to manually add it as a reminder to the less experienced network engineer(s).


Additionally, since you don't have a firewall, you would also want an ACL to protect your 2514, but allow your internal network telnet/ssh access:


access-list 10 permit x.y.z.0 0.0.0.255

access-list 10 deny any


line vty 0 4

access-class 10 in

rileymartin Sat, 08/25/2007 - 17:33
User Badges:

Thanks. I tried putting together a config with an inbound and outbound ACL and name resolution isn't working. I'm new to ACLs and obviously missing something. Here's the config I'm using:


version 12.3

service timestamps debug uptime

service timestamps log uptime

service password-encryption

service udp-small-servers

service tcp-small-servers

!

hostname 2514B

!

boot-start-marker

boot-end-marker

!

enable secret 5 xxxxxxxxxxxxxxxx

enable password 7 xxxxxxxxxxxxxxxx

!

no aaa new-model

ip subnet-zero

no ip domain lookup

ip dhcp excluded-address 192.168.126.1

!

ip dhcp pool DHCPPool

import all

network 192.168.126.0 255.255.255.240

default-router 192.168.126.1

!

!

!

!

interface Ethernet0

description Outside interface

ip address dhcp

ip access-group 100 in

ip access-group 101 out

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

no ip route-cache

ip tcp adjust-mss 1452

ntp disable

no cdp enable

hold-queue 32 in

hold-queue 100 out

!

interface Ethernet1

description Inside interface

ip address 192.168.126.1 255.255.255.240

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

no ip route-cache

ip tcp adjust-mss 1452

!

interface Serial0

no ip address

no ip route-cache

!

interface Serial1

no ip address

no ip route-cache

shutdown

!

ip nat inside source list 1 interface Ethernet0 overload

no ip http server

ip classless

!

!

access-list 1 permit 192.168.126.0 0.0.0.255

access-list 100 remark Only allow ACKed tcp packets to our network

access-list 100 permit tcp any 192.168.126.0 0.0.0.255 gt 1023 established

access-list 100 remark Allow DHCP replies to reach the e0 interface

access-list 100 permit udp any any eq bootpc

access-list 100 remark Allow DNS queries

access-list 100 permit tcp any any eq domain

access-list 100 permit udp any any eq domain

access-list 100 remark Only allow specific ICMP

access-list 100 permit icmp any 192.168.126.0 0.0.0.255 net-unreachable

access-list 100 permit icmp any 192.168.126.0 0.0.0.255 host-unreachable

access-list 100 permit icmp any 192.168.126.0 0.0.0.255 port-unreachable

access-list 100 permit icmp any 192.168.126.0 0.0.0.255 packet-too-big

access-list 100 permit icmp any 192.168.126.0 0.0.0.255 administratively-prohibi

ted

access-list 100 permit icmp any 192.168.126.0 0.0.0.255 source-quench

access-list 100 permit icmp any 192.168.126.0 0.0.0.255 ttl-exceeded

access-list 101 remark Don't allow internal hosts to send icmp

access-list 101 deny icmp any any

access-list 101 remark Only allow packets from the internal network

access-list 101 permit ip 192.168.126.0 0.0.0.255 any

access-list 101 remark Allow DNS queries

access-list 101 permit tcp any any eq domain

access-list 101 permit udp any any eq domain

!

!

line con 0

exec-timeout 120 0

password 7 xxxxxxxxxxxxxxxx

logging synchronous

login

line aux 0

password 7 xxxxxxxxxxxxxxxx

login

transport input all

line vty 0 4

exec-timeout 1 0

password 7 xxxxxxxxxxxxxxxx

login

!

end

Actions

This Discussion