06-23-2008 11:45 AM - edited 03-11-2019 06:03 AM
I have made an ACL to be applied to an edge router of an ISP. Please review and comments.
I am a bit confused about the first line.abut permitting established connections.Is its placement ok and if i need it?
Plz comments
access-list 110 permit tcp any any established
access-list 110 deny ip 127.0.0.0 0.255.255.255 any
access-list 110 deny ip 192.0.2.0 0.0.0.255 any
access-list 110 deny ip 224.0.0.0.0 255.255.255 any
access-list 110 deny ip host 255.255.255.255 any
access-list 110 deny ip host 0.0.0.0 any
access-list 110 deny ip 10.0.0.0 0.255.255.255 any
access-list 110 deny ip 172.16.0.0 0.15.255.255 any
access-list 110 deny ip 192.168.0.0 0.0.255.255 any
access-list 110 deny ip your Internet-routable subnet any
access-list 101 deny tcp any any eq 69
deny tcp any any eq 135
deny tcp any any eq 137
deny tcp any any eq 138
deny tcp any any eq 139
deny tcp any any eq 445
deny udp any any eq 445
access-list 101 deny tcp any any eq 161
access-list 101 deny tcp any any eq 162
access-list 101 deny tcp any any eq 1016
access-list 101 deny udp any any eq 1016
access-list 101 deny tcp any any eq 1120
access-list 101 deny tcp any any eq 1243
access-list 101 deny udp any any eq 1434
access-list 101 deny tcp any any eq 2048
access-list 101 deny udp any any eq 2048
access-list 101 deny udp any any eq 2140
access-list 101 deny udp any any eq 3150
access-list 101 deny tcp any any eq 4444
access-list 101 deny tcp any any eq 5554
access-list 101 deny udp any any eq 5554
access-list 101 deny tcp any any eq 6711
access-list 101 deny tcp any any eq 6776
access-list 101 deny tcp any any eq 7300
access-list 101 deny tcp any any eq 7597
access-list 101 deny tcp any any eq 9996
access-list 101 deny udp any any eq 9996
access-list 101 deny tcp any any eq 11000
access-list 101 deny tcp any any eq 21554
access-list 101 deny tcp any any eq 27374
access-list 101 deny udp any any eq 31337
access-list 101 deny tcp any any eq 31338
access-list 101 deny tcp any any eq 31339
access-list 110 permit icmp any any echo-reply
access-list 110 permit icmp any any unreachable
access-list 110 permit icmp any any time-exceeded
access-list 110 deny icmp any any
access-list 110 permit ip any any
06-23-2008 12:21 PM
Why are there multiple ACL numbers? I maintain a current DoD/DISA complaint ACL here: http://packetpros.com/wiki/index.php/What%27s_the_current_DITSCAP/DIACAP_ACL_for_a_public_interface%3F
Hope that helps
06-23-2008 12:50 PM
That different ACL no. were just a mistake.
Anyhow i have a look at your ACL. Its much detailed.
I have a confusion regarding the established statement on the top of my ACL.Can u plz have a say on it ?
06-23-2008 01:02 PM
With basic standard and static extended access lists, you can approximate session filtering by using the established keyword with the permit command. The established keyword filters TCP packets based on whether the ACK or RST bits are set. (Set ACK or RST bits indicate that the packet is not the first in the session, and therefore, that the packet belongs to an established session.) This filter criterion would be part of an access list applied permanently to an interface.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: