871 as a nat'd, border router

Unanswered Question
Oct 23rd, 2007
User Badges:

I am considering using a cisco router as my gateway/border router. My

lan machines will be nat'd behind it. I have read the NSA's guide to

securing these devices and turned off all of the unnecessary services.

But I had some questions regarding the acls.

I have set an outbound acl only allowing certain ports to have outbound

access (http, ftp, etc.). My question relates to the inbound acl.

Basically, I think it should be as follows:

allow incoming udp whose source port is 53 and destination port is > 1024

allow tcp established

deny ip any any log

for my udp rule, I have additional udp ports that need to be forwarded

through, not to initiate 'connections' but I need to get responses on

certain ports. For example I need a udp range to be able to use some

video/voice equipment and need to get replies in that range.

Is there a 'best practice' way to set this up? Do I just need to allow

all the udp ports that I am using inbound access? I am assuming that an

incoming udp response that doesn't have the same source/dest ports from

the same ip will be dropped but what about someone sniffing/spoofing my


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
a.cruea1980 Wed, 10/24/2007 - 05:00
User Badges:
  • Bronze, 100 points or more

Just a suggestion, use reflexive lists on a border router.



Those are good links to start with to learn about this stuff. I used to have an 871 (now have an 1811) and the 871 does most of the stuff in that guide no problem. The only warning I have is turning on ip inspect on an 871; it'll kill your throughput.

The big, and unsafe part of using "allow tcp established" is that any competent hacker can change a TCP packet to set the established bit to "1". So just leaving that open is insecure. More secure than just "permit tcp any any", but still more insecure than it needs to be.

And to answer your question, just like with TCP, UDP will respond on the port that you sent it from.

For simplicity sake, think of UDP like TCP; just connectionless.

Best practice from what I've heard is to use reflexive lists on border routers (in your case, this would be fa0). Then apply an ingress VACL on VLAN 1 (or whatever other VLANs are on your 871).


This Discussion