×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

2621 router and NAT tuning

Unanswered Question
Oct 24th, 2002
User Badges:

Hello all,

Just looking for a few suggestions...

I'd like to tune my router to filter connection requests. What Class A networks can be safely filtered out and how do I do it?

I'd also like to set some of the IP NAT TRANSLATION timeout values... Are there recommended settings for a good security setup?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
steve.barlow Thu, 10/24/2002 - 09:17
User Badges:
  • Silver, 250 points or more

From a cisco doc I have:

This list represents the common filtering practice of several ISPs. It includes default, broadcast, Martian, and RFC1918 networks. The use of these filters on border routers is recommended. Note: the list of these networks is updated and discussed quite frequently by groups such as NANOG([email protected]) and IEPG ([email protected]).

access-list 180 deny ip host 0.0.0.0 any

access-list 180 deny ip 0.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255

access-list 180 deny ip 1.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255

access-list 180 deny ip 10.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255

access-list 180 deny ip 19.255.0.0 0.0.255.255 255.255.0.0 0.0.255.255

access-list 180 deny ip 59.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255

access-list 180 deny ip 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255

access-list 180 deny ip 129.156.0.0 0.0.255.255 255.255.0.0 0.0.255.255

access-list 180 deny ip 169.254.0.0 0.0.255.255 255.255.0.0 0.0.255.255

access-list 180 deny ip 172.16.0.0 0.15.255.255 255.240.0.0 0.15.255.255

access-list 180 deny ip 192.0.2.0 0.0.0.255 255.255.255.0 0.0.0.255

access-list 180 deny ip 192.5.0.0 0.0.0.255 255.255.255.0 0.0.0.255

access-list 180 deny ip 192.9.200.0 0.0.0.255 255.255.255.0 0.0.0.255

access-list 180 deny ip 192.9.99.0 0.0.0.255 255.255.255.0 0.0.0.255

access-list 180 deny ip 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255

access-list 180 deny ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255

access-list 180 deny ip any 255.255.255.128 0.0.0.127

access-list 180 permit ip any any


Apply acl 180 inbound on your external interface.


Anytime you change default timers you can cause more problems than it's worth. If I were to change them I would change only timeout and tcp-timeout to 12 hours. Wait a couple of days, see if anything happens (eg users complain, apps fail etc). If nothing does I would change it to 6 hours. Wait, then go to 3 hours. Wait, then 1 hour. The IOS defaults are:

timeout: 86400 seconds (24 hours)

udp-timeout: 300 seconds (5 minutes)

dns-timeout: 60 seconds (1 minute)

tcp-timeout: 86400 seconds (24 hours)

finrst-timeout: 60 seconds (1 minute)

icmp-timeout: 60 seconds (1 minute)

pptp-timeout: 86400 seconds (24 hours)

syn-timeout: 60 seconds (1 minute)

port-timeout: 0 (never)


Hope it helps.

Steve

pauljavete Thu, 10/24/2002 - 09:52
User Badges:

Thanks alot... that's exactly what I was looking for....

Cheers!

Actions

This Discussion