Sorry the forum lost my formatting (paragraphs) on my first post.

Anyway so far I have created the following and it appears to be working but I would like to confirm it is by what you guys can comment on, the configuration should block any incoming connections except those I allow but allow any outgoing connections and allow any incoming connections initated by a outgoing connection.

ip inspect name FIREWALL tcp

ip inspect name FIREWALL udp

interface Dialer1

ip access-group FIREWALL in

ip inspect FIREWALL out

ip access-list extended FIREWALL

permit tcp any any eq 3389

permit tcp any any eq 22

permit tcp any any eq smtp

permit tcp any any eq www

permit tcp any any eq pop3

permit tcp any any eq 443

permit tcp any any eq 1723

permit tcp any any eq 3390

permit tcp any any eq 4125

permit esp any any

permit udp any any eq isakmp

permit gre any any

deny   tcp any any

deny   udp any any

deny   ip any any

!

Yes, you are absolutely correct.

Thank you for confirming would hate to apply it to one of my clients and find it blocks something... problem with small businesses is they don't want things blocked.

Is there any improvements you would make to make it more secure, with out blocking users from doing anything on the Internet?

halijenn wrote:
Base on the configuration posted, basically you are allowing all outbound traffic, however, restrict inbound traffic to the following: RDP, SSH, mail, web, PPTP, so I would assume that either you have a public ip address range for those servers' services, or you have configured static port address redirection to your Dialer interface ip address.
If you have a static public ip address, I would recommend that instead of configuring "permit tcp any any" on specific ports, I would tighten it even down as follows (assuming your public ip address is 200.1.1.1):
permit tcp any host 200.1.1.1 eq 3389
permit tcp any host 200.1.1.1 eq 22
...
...

You are correct those ports are open and I use static NATs to route the ports to the correct devices behind the router. I also use a static public IP address, albit only 1 static IP.

What are the benefits of not using 'any' in the ACLs and using the static public IP address instead?

Also is there anyway on a 877 running 12.4 to detect port scans and other malicious activity?

Thank you for your help aswell

The benefit would be to only allow connection towards the public ip address instead of towards any ip addresses in your internal network.

For example:

An attacker from the outside can go directly to your private ip address on those ports that you have opened if the attacker knows the private ip address range of your internal network. It's just an added security that you can implement to make it a little bit more secure.

With port scan, you would need to configure the IOS IPS feature set on your 877 router. Here is a bit more information on IOS IPS for your reference:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/product_data_sheet0900aecd803137cf.html

Hope that helps.

ip inspect name FIREWALL tcp

ip inspect name FIREWALL udp

interface Dialer1

ip access-group FIREWALL in

ip inspect FIREWALL out

ip access-list extended FIREWALL

permit tcp any any eq 3389

permit tcp any any eq 22

permit tcp any any eq smtp

permit tcp any any eq www

permit tcp any any eq pop3

permit tcp any any eq 443

permit tcp any any eq 1723

permit tcp any any eq 3390

permit tcp any any eq 4125

permit esp any any

permit udp any any eq isakmp

permit gre any any

deny   tcp any any

deny   udp any any

deny   ip any any

Will it work on ASA 5510 ? .. it is not getting the command ip inspect....

Please advise

Junaid,

Inspection in ASA firewall works a little bit differently. It is configured under policy-map.

Access-list needs to be applied to the interface using the access-group command.