01-19-2008 06:47 PM - edited 03-09-2019 07:54 PM
I am looking for an ACL I can put on my edge router to deny ICMP and telnet to my WAN port. The network has an internal firewall that is protecting the network but I think I should also deny access to my router from the outside. thanks in advance
01-20-2008 01:43 AM
Joseph, go over this link for recommended ACLs filters at your router facing internet.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml
Rgds
Jorge
01-21-2008 09:52 AM
Along with Jorges link, here's an ACL that conforms to DIACAP certification.
ip access-list extended [ACL Name]
remark Allow BGP
permit tcp host [BGP Neighbor] eq bgp host [Local BGP Interface]
permit tcp host [BGP Neighbor] host [Local BGP Interface] eq bgp
remark Deny Historical Broadcast
deny ip 0.0.0.0 0.255.255.255 any log
remark Broadcast
deny ip host 255.255.255.255 any log
remark Local Host
deny ip 127.0.0.0 0.255.255.255 any log
remark Private Network
deny ip 10.0.0.0 0.255.255.255 any log
remark Link Local Networks
deny ip 169.254.0.0 0.0.255.255 any log
remark Test Net
deny ip 192.0.2.0 0.0.0.255 any log
remark Private Network
deny ip 192.168.0.0 0.0.255.255 any log
remark Class D Reserved
deny ip 224.0.0.0 15.255.255.255 any log
remark Class E Reserved
deny ip 240.0.0.0 15.255.255.255 any log
remark Private Network
deny ip 172.16.0.0 0.15.255.255 any log
remark HP Printer Default IP Address
deny ip 192.0.0.0 0.0.0.255 any log
remark IANA NS Lab
deny ip 192.0.127.0 0.0.0.255 any log
remark IANA Reserved
deny ip 192.0.0.0 0.0.0.128 any log
remark Unallocated / IANA Reserved
deny ip 1.0.0.0 0.255.255.255 any log
deny ip 2.0.0.0 0.255.255.255 any log
deny ip 5.0.0.0 0.255.255.255 any log
deny ip 7.0.0.0 0.255.255.255 any log
deny ip 23.0.0.0 0.255.255.255 any log
deny ip 27.0.0.0 0.255.255.255 any log
deny ip 31.0.0.0 0.255.255.255 any log
deny ip 36.0.0.0 0.255.255.255 any log
deny ip 37.0.0.0 0.255.255.255 any log
deny ip 39.0.0.0 0.255.255.255 any log
deny ip 42.0.0.0 0.255.255.255 any log
deny ip 77.0.0.0 0.255.255.255 any log
deny ip 78.0.0.0 0.255.255.255 any log
deny ip 79.0.0.0 0.255.255.255 any log
deny ip 92.0.0.0 0.255.255.255 any log
deny ip 180.0.0.0 0.255.255.255 any log
deny ip 197.0.0.0 0.255.255.255 any log
deny ip 255.0.0.0 0.255.255.255 any log
remark Inbound from Own Subnet
deny ip [Your Public Address Space] any log
remark Block Traceroute
deny ip any any option traceroute log
deny tcp any any eq 27665 log
deny udp any any eq 31335 log
deny udp any any eq 27444 log
deny udp any any eq 31337 log
deny udp any any eq 31338 log
deny tcp any any eq 16660 log
deny tcp any any eq 65000 log
deny tcp any any eq 33270 log
deny tcp any any eq 39168 log
deny tcp any any eq 47017 log
deny tcp any any range 6711 6712 log
deny tcp any any eq 6776 log
deny tcp any any eq 6669 log
deny tcp any any eq 2222 log
deny tcp any any eq 7000 log
deny tcp any any eq 65301 log
remark Allow Specific ICMP
permit icmp any host [Local Host for ICMP] echo
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
remark Deny all other ICMP
deny icmp any any log
remark Allow Traffic to Public Network
permit ip any [Your Public Address Space]
remark Deny all other Traffic
deny ip any any log
This does change occasionally, the most recent version is always at
http://kb.packetpros.com/?View=entry&EntryID=10
HTH
01-21-2008 10:13 AM
thanks for the help
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: