Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
403
Views
0
Helpful
3
Replies

Full File-Sharing Block

hanleym
Level 1
Level 1

‎01-09-2002 05:25 PM - edited ‎03-01-2019 07:58 PM

I have just been given the go ahead to block all ports on our internet router except for the well known ports. Anyone know the best way to accomplish this? Would an extended access list be the best way?

Labels:
0 Helpful
3 Replies 3

rokibbe
Level 1
Level 1

‎01-11-2002 02:16 PM

Yes, an extended access-list would be the best way to do it. A couple of design suggestions:

1) To minimize impact on the performance of the router, do it all in one access-list. The performance hit you'd take killing outbound request packets isn't worth the price you'd pay in a second instance of access-list processing.

2) You don't care what the users ask for, you care what COMES IN. (Let some other network admin with a bigger router filter out what he doesn't want!)

3) DEBUG IP PACKET DETAIL is your friend in fine-tuning this access-list.

4) The "deny any any" (implicit deny) is already at the end of the access-list. Leaving it off shows that you're well-informed enough to know you don't need it.

A nice sample baseline of what you're looking for might be:

access-list 101 permit tcp any gt 1 any eq 80 <-- WWW

access-list 101 permit tcp any gt 1 any eq 21 <-- FTP

access-list 101 permit tcp any gt 1 any eq 25 <-- SMTP

access-list 101 permit tcp any gt 1 any eq 110 <-- POP3

access-list 101 permit udp any gt 1 any eq 53 <-- DNS replies

access-list 101 permit icmp any any eq echo-reply <-- Ping responses

access-list 101 permit icmp any any eq time-exceeded <-- Traceroute responses

interface WAN 0

ip address x.x.x.x y.y.y.y

ip access-group 101 in

Again, use DEBUG IP PACKET DETAIL to see what traffic you need is being "access denied" and change my sample as your needs dictate.

0 Helpful

bmehdi
Level 1
Level 1
In response to rokibbe

‎01-17-2002 11:41 PM

hi,

regarding this conversation .I was always rather in a fix on whats better applying a outbound access-list or an inbound access-list.The think that troubled me with inbound access-list was the BW usage limitation.Since im from an ISP for me wasting the costly BW is an issue ,i mean letting the pakcets utilize the BW from the uplink provider to me and then ultimately dropping them.

What has more load on the router inbound and outbound?and once more which is better?

Regards

0 Helpful

hanleym
Level 1
Level 1
In response to bmehdi

‎01-18-2002 04:52 AM

Right now at the present, we have 2 T-1's coming in, but they are very under utilized. For now, I put the list on the inbound side, but I am also working up a cbac to deploy out there, and once I get that in place, along with an outbound access list I think that it should take care of the problem.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents