08-24-2007 06:02 PM
Hi,
I want to replace my old Linksys with a Cisco 2514 on my home Internet connection and don't have any information as to what to permit/deny and on what interface and any additional security related interface commands. Any help would be greatly appreciated. Thanks.
08-25-2007 08:43 AM
Generally speaking you probably don't want to limit what your inside users access on the internet. In your case you simply want to keep the bad guys out of your network (including your router).
Basically, the simplest ACL you would need would be a standard inbound ACL on your internet facing interface which denies all inbound traffic, but allows all outbound.
Something like this:
access-list 1 deny any
interface e0 <--Change this to your actual interface
description Internet_Interface
access-group 1 inbound <--applies ACL to interface
Now if you have services you provide inside your network (such as a web server) you will need an extended ACL:
access-list 101 permit tcp any host web server IP address eq 80
access-list 101 deny ip any any
Remember there is an implicit deny at the end of an ACL, but I llke to manually add it as a reminder to the less experienced network engineer(s).
Additionally, since you don't have a firewall, you would also want an ACL to protect your 2514, but allow your internal network telnet/ssh access:
access-list 10 permit x.y.z.0 0.0.0.255
access-list 10 deny any
line vty 0 4
access-class 10 in
08-25-2007 08:45 AM
Not sure how I posted twice, but I wanted to edit my original with a Google link that has some examples:
08-25-2007 05:33 PM
Thanks. I tried putting together a config with an inbound and outbound ACL and name resolution isn't working. I'm new to ACLs and obviously missing something. Here's the config I'm using:
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname 2514B
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxx
enable password 7 xxxxxxxxxxxxxxxx
!
no aaa new-model
ip subnet-zero
no ip domain lookup
ip dhcp excluded-address 192.168.126.1
!
ip dhcp pool DHCPPool
import all
network 192.168.126.0 255.255.255.240
default-router 192.168.126.1
!
!
!
!
interface Ethernet0
description Outside interface
ip address dhcp
ip access-group 100 in
ip access-group 101 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
no ip route-cache
ip tcp adjust-mss 1452
ntp disable
no cdp enable
hold-queue 32 in
hold-queue 100 out
!
interface Ethernet1
description Inside interface
ip address 192.168.126.1 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no ip route-cache
ip tcp adjust-mss 1452
!
interface Serial0
no ip address
no ip route-cache
!
interface Serial1
no ip address
no ip route-cache
shutdown
!
ip nat inside source list 1 interface Ethernet0 overload
no ip http server
ip classless
!
!
access-list 1 permit 192.168.126.0 0.0.0.255
access-list 100 remark Only allow ACKed tcp packets to our network
access-list 100 permit tcp any 192.168.126.0 0.0.0.255 gt 1023 established
access-list 100 remark Allow DHCP replies to reach the e0 interface
access-list 100 permit udp any any eq bootpc
access-list 100 remark Allow DNS queries
access-list 100 permit tcp any any eq domain
access-list 100 permit udp any any eq domain
access-list 100 remark Only allow specific ICMP
access-list 100 permit icmp any 192.168.126.0 0.0.0.255 net-unreachable
access-list 100 permit icmp any 192.168.126.0 0.0.0.255 host-unreachable
access-list 100 permit icmp any 192.168.126.0 0.0.0.255 port-unreachable
access-list 100 permit icmp any 192.168.126.0 0.0.0.255 packet-too-big
access-list 100 permit icmp any 192.168.126.0 0.0.0.255 administratively-prohibi
ted
access-list 100 permit icmp any 192.168.126.0 0.0.0.255 source-quench
access-list 100 permit icmp any 192.168.126.0 0.0.0.255 ttl-exceeded
access-list 101 remark Don't allow internal hosts to send icmp
access-list 101 deny icmp any any
access-list 101 remark Only allow packets from the internal network
access-list 101 permit ip 192.168.126.0 0.0.0.255 any
access-list 101 remark Allow DNS queries
access-list 101 permit tcp any any eq domain
access-list 101 permit udp any any eq domain
!
!
line con 0
exec-timeout 120 0
password 7 xxxxxxxxxxxxxxxx
logging synchronous
login
line aux 0
password 7 xxxxxxxxxxxxxxxx
login
transport input all
line vty 0 4
exec-timeout 1 0
password 7 xxxxxxxxxxxxxxxx
login
!
end
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: