I have just been given the go ahead to block all ports on our internet router except for the well known ports. Anyone know the best way to accomplish this? Would an extended access list be the best way?
Yes, an extended access-list would be the best way to do it. A couple of design suggestions:
1) To minimize impact on the performance of the router, do it all in one access-list. The performance hit you'd take killing outbound request packets isn't worth the price you'd pay in a second instance of access-list processing.
2) You don't care what the users ask for, you care what COMES IN. (Let some other network admin with a bigger router filter out what he doesn't want!)
3) DEBUG IP PACKET DETAIL is your friend in fine-tuning this access-list.
4) The "deny any any" (implicit deny) is already at the end of the access-list. Leaving it off shows that you're well-informed enough to know you don't need it.
A nice sample baseline of what you're looking for might be:
access-list 101 permit tcp any gt 1 any eq 80 <-- WWW
access-list 101 permit tcp any gt 1 any eq 21 <-- FTP
access-list 101 permit tcp any gt 1 any eq 25 <-- SMTP
access-list 101 permit tcp any gt 1 any eq 110 <-- POP3
access-list 101 permit udp any gt 1 any eq 53 <-- DNS replies
access-list 101 permit icmp any any eq echo-reply <-- Ping responses
access-list 101 permit icmp any any eq time-exceeded <-- Traceroute responses
interface WAN 0
ip address x.x.x.x y.y.y.y
ip access-group 101 in
Again, use DEBUG IP PACKET DETAIL to see what traffic you need is being "access denied" and change my sample as your needs dictate.
regarding this conversation .I was always rather in a fix on whats better applying a outbound access-list or an inbound access-list.The think that troubled me with inbound access-list was the BW usage limitation.Since im from an ISP for me wasting the costly BW is an issue ,i mean letting the pakcets utilize the BW from the uplink provider to me and then ultimately dropping them.
What has more load on the router inbound and outbound?and once more which is better?
Right now at the present, we have 2 T-1's coming in, but they are very under utilized. For now, I put the list on the inbound side, but I am also working up a cbac to deploy out there, and once I get that in place, along with an outbound access list I think that it should take care of the problem.
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.