Cisco Support Community
Community Member

General firewall question for ISP

I am the administrator of an ISP and I am implementing the IOS Firewall. I am using access lists to block a few "dangerous ports" and allowing all other IP traffic through. I have a web server with serveral websites, a mail server (esmtp), 2 FTP servers, radius, BBS and DNS. My question is a general one, I guess, and I hope another administrator of an ISP will respond, but Is it a general practice to configure access lists to block/allow ports to needed hosts and allow the rest of the traffic through due to the fact that so much incoming return traffic uses so many different ports, or try to just permit "needed" ports and deny the rest of the IP traffic? Which is the worse administrative nightmare? My access list is getting pretty long as it is, and im wondering if it gets too long and conveluded, that I may be going in the wrong direction. Thanks for any responses in advance.

Community Member

Re: General firewall question for ISP

I guess Im on my own huh? I figured with so many networking and security professionals watching this forum that I may have gotten at least one response. Thanks for the help people.


Re: General firewall question for ISP

Do you have all your customers dialing in behind the firewall and then accessing the internet through the router?

Community Member

Re: General firewall question for ISP

I have dial-up customers dialing into portmasters outside the firewall, but behind my external internet routers. They have to be authenticated by a radius server behind the firewall. Then they are free to do whatever they want - nothing exept incoming netbios is blocked at the portmasters. The radius process uses ports 1026 and 1646 only. It would be easy to open just those ports for authentication, but the complicated part comes when the users need to access web, HTTPS, mail, passive ftp, dns, and everything else that comes into play. I also have national users that dial into portmasters accross the country. I am using ESMTP on my mail server, which listens on ports 25 and 110, but the traffic going back out and returning uses all kinds of different ports, so I cant just open 25 and 110 without breaking something. I have 2000 users in that mail server that wouldnt be very happy if I poofed some mail during testing. Thats why I asked my original question in a general form, - do most complex networks open whats needed and block the rest, or just block known trojan and other unneeded vulnerable hacking ports, and hope for the best? Thanks for your response, and I know this is a pretty complex situation, and im not looking for technical answers that I can use, but im just looking for general feedback from people that have been in my shoes. Thanks


Re: General firewall question for ISP

Hi, yes you are right - that most complex networks only open ports that are required and close all other ports, I think what you really need to do is do a assesment of which ports you require opening and which ports you don't . The following document might be of use to you, it is a NSA (National Security Agency (US) Document - Unclassified), it deals with cisco router security and is a very good document and hopefully this will guide a little further on your question(s) :

I hope this helps.


CreatePlease to create content