08-07-2009 10:47 PM - edited 03-06-2019 07:09 AM
Which ACL makes more sense or is more appropriate to apply inbound on an internet-facing interface?
I think the first one makes a lot more sense. I have no idea what in the world the first few statements of the 2nd ACL are supposed to prevent?
ip access-list extended ISP-inbound
remark permit Border Gateway Protocol to the router.
permit tcp host <ISP eBGP neighbor IP address> gt 1023 host <local eBGP IP address> eq bgp
permit tcp host <ISP eBGP neighbor IP address> eq bgp <local eBGP IP address> gt 1024 established
remark permit Subscriber Traffic - THESE ARE USER SUBNETS. USERS USE PUBLIC ADDRESSES.
permit ip any <subscriber subnet> 0.0.63.255
permit ip any <subscriber subnet> 0.0.3.255
remark deny any internet traffic to this router - ALL THESE ARE INTERFACES WITH PUBLIC ADDRESSES THAT ARE THEORETICALLY REACHABLE FROM THE INTERNET
deny ip any host <gi1/1 IP address>
deny ip any host <gi1/6 IP address>
deny ip any host <Te 9/2 IP address>
deny ip any host <Te 9/3 IP address>
deny ip any host <Te 9/1 IP address>
remark deny Internal space as source-THIS IS TO PREVENT SPOOFING.
deny ip < WSC Mgmt Public network address> 0.0.0.255 any
deny ip <VoIP network address> 0.0.0.255 any
deny ip <loopback0 IP address> 0.0.0.15 any
deny ip <subscriber subnet network address> 0.0.63.255 any
deny ip <subscriber subnet network address> 0.0.3.255 any
remark deny Bogons - DENYING BOGONS
deny ip 1.0.0.0 0.255.255.255 any
deny ip 2.0.0.0 0.255.255.255 any
deny ip 5.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 14.0.0.0 0.255.255.255 any
deny ip 23.0.0.0 0.255.255.255 any
deny ip 27.0.0.0 0.255.255.255 any
deny ip 31.0.0.0 0.255.255.255 any
deny ip 36.0.0.0 0.255.255.255 any
deny ip 37.0.0.0 0.255.255.255 any
deny ip 39.0.0.0 0.255.255.255 any
deny ip 42.0.0.0 0.255.255.255 any
deny ip 46.0.0.0 0.255.255.255 any
deny ip 49.0.0.0 0.255.255.255 any
deny ip 50.0.0.0 0.255.255.255 any
deny ip 100.0.0.0 0.255.255.255 any
deny ip 101.0.0.0 0.255.255.255 any
deny ip 102.0.0.0 0.255.255.255 any
deny ip 103.0.0.0 0.255.255.255 any
deny ip 104.0.0.0 0.255.255.255 any
deny ip 105.0.0.0 0.255.255.255 any
deny ip 106.0.0.0 0.255.255.255 any
deny ip 107.0.0.0 0.255.255.255 any
deny ip 175.0.0.0 0.255.255.255 any
deny ip 176.0.0.0 0.255.255.255 any
deny ip 177.0.0.0 0.255.255.255 any
deny ip 178.0.0.0 0.255.255.255 any
deny ip 179.0.0.0 0.255.255.255 any
deny ip 181.0.0.0 0.255.255.255 any
deny ip 182.0.0.0 0.255.255.255 any
deny ip 185.0.0.0 0.255.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 223.0.0.0 0.255.255.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip host 255.255.255.255 any
remark explicitly permit return traffic. Allow specific ICMP types.
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
deny icmp any any
OR
ip access-list extended eBGP_Port
permit tcp any eq www any
deny tcp any any eq 1
deny tcp any any eq smtp
deny tcp any any eq 135
deny tcp any any eq 137 138 139
deny tcp any any eq 445
deny udp any any eq 1
deny udp any any eq 25
deny udp any any eq 50
deny udp any any eq 55
deny udp any any eq 70
deny udp any any eq 135
deny udp any any eq netbios-ns netbios-dgm netbios-ss
deny udp any any eq 445
deny ip 0.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.0.240.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 0.0.0.0 252.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
permit ip any any
08-09-2009 09:58 AM
Im not able to understand why you are using lot of deny statement. What i will suggest is first of all define the interesting traffic which needs to be permitted and at the end of the ACL there is always implicit deny statement.
e.g.
permit tcp host
permit ip any
permit ip any
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
thats it... anything else not defined in permit statement is denied.
Please elaborate the use of IP any any in second ACL and why not mentioned in first ACL.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: