I'm quite new to this community so forgive me if I intrude or if i'm doing something wrong. I'm a young network enthousiast and I'd love to explore a career in Network Security.
i'm currently doing a school project that includes router hardening, i'm using a PDF template by Krishni Naidu that says to block a certain ammount of ports in order to secure a Cisco router.
In my school project we are using the 2801 Cisco Router and 15.0(1) as IOS version. Our setup is as follows:
We have a domain with a couple of VLANS that reach the first router that operates with EIGRP and Router on a stick, after that it enters a VPN IPSEC tunnel to reach router 2. The connection from router 2 goes to a "smoothwall" with firewall rules and eventually reaches a small Linksys router that goes to the internet.
I know it's a rather "dumb" setup, but it's kind of what we have to use as our budget from school . Internet works fine and we also use DNS. However when I try to create an ACL that blocks certain ports on the link from Router 2 to the Smoothwall, all traffic seems to be blocked.
Here is my ACL configuration:
Ip access-list extended PORTBLOCK
deny tcp any any eq domain
deny udp any any eq tftp
deny tcp any any eq 87
deny tcp any any eq sunrpc
deny udp any any eq sunrpc
deny tcp any any eq exec login cmd lpd
deny tcp any any eq uucp
deny tcp any any eq 2000
deny udp any any eq 2000
deny tcp any any eq 2049
deny udp any any eq 2049
deny tcp any any range 6000 6255
deny udp any any range 6000 6255
deny tcp any any eq ftp
deny tcp any any eq telnet
deny tcp any any eq 37
deny udp any any eq time
deny tcp any any eq finger
deny tcp any any range pop2 pop3
deny tcp any any eq nntp
deny tcp any any eq 135
deny udp any any eq 135
deny udp any any range netbios-ns netbios-dgm
deny tcp any any eq 139
deny tcp any any eq 143
deny tcp any any eq bgp
deny tcp any any eq 445
deny udp any any eq 445
deny udp any any eq syslog
deny tcp any any eq 1080
deny tcp any any eq 2001
deny tcp any any eq 4001
deny tcp any any eq 4045
deny udp any any eq 4045
deny tcp any any eq 6001
deny tcp any any eq 8000
deny tcp any any eq 8080
deny tcp any any eq 8888
I have tried to remove the first line in the acl and the last 3, concerning that it's high end HTTP ports and the DNS zone transfer port. However, whenever I implement this ACL on the interface going to the smoothwall (that eventually leads to the internet) I find myself unable to go on the internet, or even use ICMP to contact the interfaces on the smoothwall or even the internet itself (eg www.google.nl).
I'd like to note, that internet works just fine without the ACL configured and everything in our setup works accordingly as well, even the VPN. So here I am wondering, what is this newbie doing wrong?...
If anyone could help me with this issue, I will be greatful. I am quite inexperienced when it comes to configuring something for real. Mostly just experience with Cisco Packet tracer.
PS: If any info is missing or that this issue is unclear, dont hesitate to ask for more.
ACLs in Cisco have an implicit deny any any at the end, so your ACL denies specific ports and then at the end denies everything else. You should add a permit ip any any at the end to excplicitly permit all other traffic not denied by the previous statements.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...