10-24-2002 04:56 AM - edited 03-02-2019 02:21 AM
Hello all,
Just looking for a few suggestions...
I'd like to tune my router to filter connection requests. What Class A networks can be safely filtered out and how do I do it?
I'd also like to set some of the IP NAT TRANSLATION timeout values... Are there recommended settings for a good security setup?
10-24-2002 09:17 AM
From a cisco doc I have:
This list represents the common filtering practice of several ISPs. It includes default, broadcast, Martian, and RFC1918 networks. The use of these filters on border routers is recommended. Note: the list of these networks is updated and discussed quite frequently by groups such as NANOG(nanog@merit.edu) and IEPG (iepg@iepg.org).
access-list 180 deny ip host 0.0.0.0 any
access-list 180 deny ip 0.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255
access-list 180 deny ip 1.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255
access-list 180 deny ip 10.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255
access-list 180 deny ip 19.255.0.0 0.0.255.255 255.255.0.0 0.0.255.255
access-list 180 deny ip 59.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255
access-list 180 deny ip 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255
access-list 180 deny ip 129.156.0.0 0.0.255.255 255.255.0.0 0.0.255.255
access-list 180 deny ip 169.254.0.0 0.0.255.255 255.255.0.0 0.0.255.255
access-list 180 deny ip 172.16.0.0 0.15.255.255 255.240.0.0 0.15.255.255
access-list 180 deny ip 192.0.2.0 0.0.0.255 255.255.255.0 0.0.0.255
access-list 180 deny ip 192.5.0.0 0.0.0.255 255.255.255.0 0.0.0.255
access-list 180 deny ip 192.9.200.0 0.0.0.255 255.255.255.0 0.0.0.255
access-list 180 deny ip 192.9.99.0 0.0.0.255 255.255.255.0 0.0.0.255
access-list 180 deny ip 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255
access-list 180 deny ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255
access-list 180 deny ip any 255.255.255.128 0.0.0.127
access-list 180 permit ip any any
Apply acl 180 inbound on your external interface.
Anytime you change default timers you can cause more problems than it's worth. If I were to change them I would change only timeout and tcp-timeout to 12 hours. Wait a couple of days, see if anything happens (eg users complain, apps fail etc). If nothing does I would change it to 6 hours. Wait, then go to 3 hours. Wait, then 1 hour. The IOS defaults are:
timeout: 86400 seconds (24 hours)
udp-timeout: 300 seconds (5 minutes)
dns-timeout: 60 seconds (1 minute)
tcp-timeout: 86400 seconds (24 hours)
finrst-timeout: 60 seconds (1 minute)
icmp-timeout: 60 seconds (1 minute)
pptp-timeout: 86400 seconds (24 hours)
syn-timeout: 60 seconds (1 minute)
port-timeout: 0 (never)
Hope it helps.
Steve
10-24-2002 09:52 AM
Thanks alot... that's exactly what I was looking for....
Cheers!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide