Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

heated Argument over accesslist Please help

I have a 2811 router out to the internet. The router is doing NAT translation for our internal network out to the internet. I have access-list 100 set for ip access-group 100 in on my s0/1/0 interface incoming from the internet. Another Admin at another site says I am hurting the performance on my router when I applied this ACL because we are doing NAT which blocks everything inbound anyways unless specifically defined.

So am I wrong in haveing the below ACL Applied inbound on my S0/1/0 interface?

access-list 100 remark Inbound from Internet S0/1/0

access-list 100 remark Block packets from a specific IP from scanning us

access-list 100 deny ip host 24.13.209.193 any

access-list 100 remark Block packets from private networks, RFC1918.

access-list 100 deny ip 10.0.0.0 0.255.255.255 any

access-list 100 deny ip 172.16.0.0 0.15.255.255 any

access-list 100 deny ip 192.168.0.0 0.0.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 deny ip 224.0.0.0 0.255.255.255 any

access-list 100 deny ip 0.0.0.0 255.255.255.240 any

access-list 100 remark Other private address ranges.

access-list 100 deny ip 169.254.0.0 0.0.255.255 any

access-list 100 deny ip 192.0.2.0 0.0.0.255 any

access-list 100 remark Block packets from spoofed networks.

access-list 100 remark These are our subnets and cannot be outside the local LAN

access-list 100 deny ip 10.1.0.0 0.0.255.255 any

access-list 100 remark Anti-spoofing rules

access-list 100 deny tcp any any eq ftp

access-list 100 deny tcp any any eq www

access-list 100 deny tcp any any eq 135

access-list 100 deny tcp any any eq 137

access-list 100 deny tcp any any eq 139

access-list 100 deny tcp any any eq 445

access-list 100 deny tcp any any eq 3838

access-list 100 deny udp any any eq netbios-ns

access-list 100 remark block finger requests

access-list 100 deny tcp any any eq finger

access-list 100 remark Block all Sub-7 traffic

access-list 100 deny udp any any eq 27374

access-list 100 remark Block all NetBus/ NetBus Pro traffic

access-list 100 deny tcp any any eq 12345

access-list 100 deny tcp any any eq 12346

access-list 100 remark Block all Back Orifice 2000 Traffic

access-list 100 deny tcp any any eq 54321

access-list 100 deny udp any any eq 54321

access-list 100 deny tcp any any eq 54320

access-list 100 deny udp any any eq 54320

access-list 100 remark Allow Telnet from Dels Home

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any host-unreachable

access-list 100 permit icmp any any time-exceeded

access-list 100 deny ip any any

4 REPLIES
New Member

Re: heated Argument over accesslist Please help

NAT provides security by obscurity, which technically is not a security measure. Plus, NAT translations (especially if they ae NAT and not PAT) will allow, for the duration of the xlate, a pathway from outside to inside (though generally, it would take someone scanning the network and then exploiting the connection.

Also, if you use Cisco Express Forwarding (CEF), the router would process the conenction more quickly and would reduce the CPU cycles used for routing and ACL processing.

Finally, if this is a WAN conenction, how much traffic can be generated? Even a T3 only provides one fourth a a single full-duplex FastEthernet.

New Member

Re: heated Argument over accesslist Please help

Ok, to clarify your responce for me. Are you saying that my ACL even though I am doing NAT should be left as it is and is not hendering the performance of my router?

Hall of Fame Super Silver

Re: heated Argument over accesslist Please help

Del

I am not sure that there is a clear cut answer to this question but I am on your side in the discussion. In absolute terms there is some impact from using your access list. I am confident that you would need a quite powerful microscope to see the performance difference of using this access list vs not having any access list. This access list is in place at the outside edge of the network and is keeping a lot of undesirable traffic from getting its foot in the door. Compare the cost of a miniscule performance difference against the benefit of increasing the safety and security of the interior network. I think that is a pretty each choice.

I do have some comments about details in your access list.

- You have this line:

access-list 100 deny ip 224.0.0.0 0.255.255.255 any

which is supposed to deny multicast traffic. It would do the job better if the mask were 15.255.255.255. The 0 mask you have in the first octet only denies 224. If you use the 15 mask in the first octet it will deny 224 through 239.

- I do not understand the mask in this line:

access-list 100 deny ip 0.0.0.0 255.255.255.240 any

I question the 240 mask. What is the intent of this line and this mask? I have seen many access lists with 255 mask in the fourth octet to deny the 0.0.0.0 address. And I have seen a few access lists if 0.255.255.255 to deny anything from network 0. But I have not seen the particular mask that you are using.

- You have this line:

access-list 100 deny ip 10.1.0.0 0.0.255.255 any

It will never get a hit because the second deny in the access list denied 10.anything. If you want to keep it because you want to explicitly protect your inside network it will do no harm. But it will also do no good.

- my biggest concern is that you deny many things, including the deny ip any any at the bottom. The only things that you have permit statements for are icmp echo-reply, host-unreachable and time-exceeded. I think you need to permit more to get through to the interior of your network.

HTH

Rick

New Member

Re: heated Argument over accesslist Please help

Thanks for you repsonce Rick!

I found the below ACL lines on a security website. I am still learing the inverse mask so not sure what they were trying to acomplish. Since I did find these on a security site I took for granted they were properly formated. I guess I should scrutinized things a little more. ;-)

access-list 100 deny ip 224.0.0.0 0.255.255.255 any

access-list 100 deny ip 0.0.0.0 255.255.255.240 any

I did remove my last line in my ACL which was the access-list 100 deny ip any any and I replaced it with access-list 100 permit ip any any. When I did this my router spiked to 100% and stayed there. I freak. I learn it is hard to trouble shoot a router when the cpu is pegged. I was finally able to do a sh ip nat trans to see I have a SQL server on my network that is missing a few patches. It was hammering at port 1708. I have blocked the particular server from talking on that port till I can patch it on sunday. The things we learn when we open up the router. Yikes!!! I guess if I am going to permit ip any any I will need to add a few more Denys higher up in the ACL.

118
Views
3
Helpful
4
Replies