Internet-facing ACL

Unanswered Question
Aug 7th, 2009

Which ACL makes more sense or is more appropriate to apply inbound on an internet-facing interface?

I think the first one makes a lot more sense. I have no idea what in the world the first few statements of the 2nd ACL are supposed to prevent?

ip access-list extended ISP-inbound

remark permit Border Gateway Protocol to the router.

permit tcp host <ISP eBGP neighbor IP address> gt 1023 host <local eBGP IP address> eq bgp

permit tcp host <ISP eBGP neighbor IP address> eq bgp <local eBGP IP address> gt 1024 established

remark permit Subscriber Traffic - THESE ARE USER SUBNETS. USERS USE PUBLIC ADDRESSES.

permit ip any <subscriber subnet> 0.0.63.255

permit ip any <subscriber subnet> 0.0.3.255

remark deny any internet traffic to this router - ALL THESE ARE INTERFACES WITH PUBLIC ADDRESSES THAT ARE THEORETICALLY REACHABLE FROM THE INTERNET

deny ip any host <gi1/1 IP address>

deny ip any host <gi1/6 IP address>

deny ip any host <Te 9/2 IP address>

deny ip any host <Te 9/3 IP address>

deny ip any host <Te 9/1 IP address>

remark deny Internal space as source-THIS IS TO PREVENT SPOOFING.

deny ip < WSC Mgmt Public network address> 0.0.0.255 any

deny ip <VoIP network address> 0.0.0.255 any

deny ip <loopback0 IP address> 0.0.0.15 any

deny ip <subscriber subnet network address> 0.0.63.255 any

deny ip <subscriber subnet network address> 0.0.3.255 any

remark deny Bogons - DENYING BOGONS

deny ip 1.0.0.0 0.255.255.255 any

deny ip 2.0.0.0 0.255.255.255 any

deny ip 5.0.0.0 0.255.255.255 any

deny ip 10.0.0.0 0.255.255.255 any

deny ip 14.0.0.0 0.255.255.255 any

deny ip 23.0.0.0 0.255.255.255 any

deny ip 27.0.0.0 0.255.255.255 any

deny ip 31.0.0.0 0.255.255.255 any

deny ip 36.0.0.0 0.255.255.255 any

deny ip 37.0.0.0 0.255.255.255 any

deny ip 39.0.0.0 0.255.255.255 any

deny ip 42.0.0.0 0.255.255.255 any

deny ip 46.0.0.0 0.255.255.255 any

deny ip 49.0.0.0 0.255.255.255 any

deny ip 50.0.0.0 0.255.255.255 any

deny ip 100.0.0.0 0.255.255.255 any

deny ip 101.0.0.0 0.255.255.255 any

deny ip 102.0.0.0 0.255.255.255 any

deny ip 103.0.0.0 0.255.255.255 any

deny ip 104.0.0.0 0.255.255.255 any

deny ip 105.0.0.0 0.255.255.255 any

deny ip 106.0.0.0 0.255.255.255 any

deny ip 107.0.0.0 0.255.255.255 any

deny ip 175.0.0.0 0.255.255.255 any

deny ip 176.0.0.0 0.255.255.255 any

deny ip 177.0.0.0 0.255.255.255 any

deny ip 178.0.0.0 0.255.255.255 any

deny ip 179.0.0.0 0.255.255.255 any

deny ip 181.0.0.0 0.255.255.255 any

deny ip 182.0.0.0 0.255.255.255 any

deny ip 185.0.0.0 0.255.255.255 any

deny ip 192.0.2.0 0.0.0.255 any

deny ip 192.168.0.0 0.0.255.255 any

deny ip 223.0.0.0 0.255.255.255 any

deny ip 224.0.0.0 31.255.255.255 any

deny ip host 255.255.255.255 any

remark explicitly permit return traffic. Allow specific ICMP types.

permit icmp any any echo-reply

permit icmp any any unreachable

permit icmp any any time-exceeded

deny icmp any any

OR

ip access-list extended eBGP_Port

permit tcp any eq www any

deny tcp any any eq 1

deny tcp any any eq smtp

deny tcp any any eq 135

deny tcp any any eq 137 138 139

deny tcp any any eq 445

deny udp any any eq 1

deny udp any any eq 25

deny udp any any eq 50

deny udp any any eq 55

deny udp any any eq 70

deny udp any any eq 135

deny udp any any eq netbios-ns netbios-dgm netbios-ss

deny udp any any eq 445

deny ip 0.0.0.0 0.255.255.255 any

deny ip 10.0.0.0 0.255.255.255 any

deny ip 169.254.0.0 0.0.255.255 any

deny ip 172.16.0.0 0.0.240.255 any

deny ip 192.168.0.0 0.0.255.255 any

deny ip 0.0.0.0 252.255.255.255 any

deny ip 127.0.0.0 0.255.255.255 any

permit ip any any

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Hitesh Vinzoda Sun, 08/09/2009 - 09:58

Im not able to understand why you are using lot of deny statement. What i will suggest is first of all define the interesting traffic which needs to be permitted and at the end of the ACL there is always implicit deny statement.

e.g.

permit tcp host eq bgp

permit ip any 0.0.63.255

permit ip any 0.0.3.255

permit icmp any any echo-reply

permit icmp any any unreachable

permit icmp any any time-exceeded

thats it... anything else not defined in permit statement is denied.

Please elaborate the use of IP any any in second ACL and why not mentioned in first ACL.

Actions

This Discussion