Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
704
Views
0
Helpful
2
Replies

2621 router and NAT tuning

pauljavete
Level 1
Level 1

‎10-24-2002 04:56 AM - edited ‎03-02-2019 02:21 AM

Hello all,

Just looking for a few suggestions...

I'd like to tune my router to filter connection requests. What Class A networks can be safely filtered out and how do I do it?

I'd also like to set some of the IP NAT TRANSLATION timeout values... Are there recommended settings for a good security setup?

Labels:
0 Helpful
2 Replies 2

steve.barlow
Level 7
Level 7

‎10-24-2002 09:17 AM

From a cisco doc I have:

This list represents the common filtering practice of several ISPs. It includes default, broadcast, Martian, and RFC1918 networks. The use of these filters on border routers is recommended. Note: the list of these networks is updated and discussed quite frequently by groups such as NANOG(nanog@merit.edu) and IEPG (iepg@iepg.org).

access-list 180 deny ip host 0.0.0.0 any

access-list 180 deny ip 0.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255

access-list 180 deny ip 1.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255

access-list 180 deny ip 10.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255

access-list 180 deny ip 19.255.0.0 0.0.255.255 255.255.0.0 0.0.255.255

access-list 180 deny ip 59.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255

access-list 180 deny ip 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255

access-list 180 deny ip 129.156.0.0 0.0.255.255 255.255.0.0 0.0.255.255

access-list 180 deny ip 169.254.0.0 0.0.255.255 255.255.0.0 0.0.255.255

access-list 180 deny ip 172.16.0.0 0.15.255.255 255.240.0.0 0.15.255.255

access-list 180 deny ip 192.0.2.0 0.0.0.255 255.255.255.0 0.0.0.255

access-list 180 deny ip 192.5.0.0 0.0.0.255 255.255.255.0 0.0.0.255

access-list 180 deny ip 192.9.200.0 0.0.0.255 255.255.255.0 0.0.0.255

access-list 180 deny ip 192.9.99.0 0.0.0.255 255.255.255.0 0.0.0.255

access-list 180 deny ip 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255

access-list 180 deny ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255

access-list 180 deny ip any 255.255.255.128 0.0.0.127

access-list 180 permit ip any any

Apply acl 180 inbound on your external interface.

Anytime you change default timers you can cause more problems than it's worth. If I were to change them I would change only timeout and tcp-timeout to 12 hours. Wait a couple of days, see if anything happens (eg users complain, apps fail etc). If nothing does I would change it to 6 hours. Wait, then go to 3 hours. Wait, then 1 hour. The IOS defaults are:

timeout: 86400 seconds (24 hours)

udp-timeout: 300 seconds (5 minutes)

dns-timeout: 60 seconds (1 minute)

tcp-timeout: 86400 seconds (24 hours)

finrst-timeout: 60 seconds (1 minute)

icmp-timeout: 60 seconds (1 minute)

pptp-timeout: 86400 seconds (24 hours)

syn-timeout: 60 seconds (1 minute)

port-timeout: 0 (never)

Hope it helps.

Steve

0 Helpful

pauljavete
Level 1
Level 1
In response to steve.barlow

‎10-24-2002 09:52 AM

Thanks alot... that's exactly what I was looking for....

Cheers!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents