As our 7206 has multiple sub-interfaces for our Internet clients, I'm looking at a generic ACL I can apply to each one to deny things like netbios traffic, telnet access etc, but still allowing them full internet access...eg.
(Just logging all for debugging purposes)
access-list 132 deny udp any eq netbios-dgm any log-input
access-list 132 deny udp any eq netbios-ns any log-input
access-list 132 deny udp any eq netbios-ss any log-input
access-list 132 deny tcp any eq 137 any log-input
access-list 132 deny tcp any eq 138 any log-input
access-list 132 deny tcp any eq 139 any log-input
access-list 132 deny tcp any eq 23 any log-input
access-list 132 permit ip any any
But I can't see a way to have a default deny policy, without killing there Interenet connection..
You seem to be filtering on source ports in your ACL - this isn't a good idea since most protocols use
random high ports as the source port. A better strategy would be to filter on the destination port
which is (usually!) more predictable.
Two additional suggestions
If you're going after command line tools, be aware that you may want to consider
filtering SSH and the BSD r* commands as well. It depends on why you want
to filter Telnet.
Also, Windows 2000 also uses TCP 445 as a replacement for the famous 137, 138 (UDP) 139 (TCP) - instead of doing NBT as Windows NT 4 does, Windows 2000 allows you to run SMB directly over TCP, getting rid of the NBT middleman. Consider filtering that as well if you've got
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...