Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACL - Help

How do I stop icmp incoming yet allow internet communication, i have my web server in my side so I don't want that to be effected if I stop icmp , and icmp has lots of subs like time zone ect , can any one suggest me a good ACL link , or some ACL configs , thanks a lot in advance . You can sms me at 9840036122@skycell-indya.com

1 REPLY
New Member

Re: ACL - Help

Here's my generic ingress ACL template. Note that I permit into the protected network

only the bare ICMP functionality (IMO of course :-) ) Turning off ICMP alltogether may be

overly restrictive - ICMP after all provides useful things, but this will depend on your site

security policy. Make sure you understand the tradeoffs.

Note that "!" indicates my commentary...

! Access list 101 is applied on the "external" interface - the

assumption in this case is that

! we're touching the Internet (hence the RFC 1918 filters). We

filter anything that wasn't

! originated from the inside, or is an ICMP message. You

should substitute explicit

! subnets for "any" whenever possible.

!

! Anti-spoofing: Filter out loopback & RFC-1918 space (you may

need to allow

! RFC-1918 if the router's environment routes this traffic,

though). Last two lines deny

! traffic sourced from any broadcast address coming inbound,

as well as any traffic with

! a source address of our internal network, which we would

never expect to see anyhow.

!

access-list 101 deny ip 127.0.0.0 0.255.255.255 any log

access-list 101 deny ip 10.0.0.0 0.255.255.255 any log

access-list 101 deny ip 172.16.0.0 0.15.255.255 any log

access-list 101 deny ip 192.168.0.0 0.0.255.255 any log

access-list 101 deny ip host 255.255.255.255 any log

access-list 101 deny ip (internal net) 0.0.0.255 any log

!

! Allow ping responses, traceroute functionality, path MTU

discovery. Bare minimum

! ICMP for reasonable functionality - we could tighten this

down, but might break useful

! things.

!

access-list 101 permit icmp any (internal net) 0.0.0.255

echo-reply

access-list 101 permit icmp any (internal net) 0.0.0.255

time-exceeded

access-list 101 permit icmp anyv (internal net) 0.0.0.255

packet-too-big

access-list 101 permit icmp any (internal net) 0.0.0.255

traceroute

access-list 101 permit icmp any (internal net) 0.0.0.255

unreachable

!

! Permissions for established (ACK) TCP traffic to allow

return traffic. This permission

! is handled in a "smarter" fashion in IOS Firewall. You might

have to add lines to allow

! relevant stateless UDP to come back as well.

!

access-list 101 permit tcp any (internal net) 0.0.0.255

established

!

! Explicit permissions go here... in this case, we're allowing

the Internet to come in on

! port 80 (WWW) to some internal host.

!

access-list 101 permit tcp any host (internal net) eq 80

!

! Add an explicit deny for administration's sake.

!

access-list 101 deny ip any log

Hope this helps,

-Rakesh

106
Views
0
Helpful
1
Replies
CreatePlease to create content