Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Help with ACL's

K newbie here.

I'm trying the deny everything approach. Thing is I'm not sure what all I should deny. My main goal is to block spyware such as Kazaa, Limewire and whatnot also porn dailers. I need to let through IM's though as we are an internet cafe.

I've read through the ACL doccies and I'm still a bit confused.

Any other security suggestions are welcomed.

I have 70 or so PC's using the 192.168.0.0 range and a second Fastethernet int using a public ip range (the web/mail server). Using a 2621 with serial int.

Tanks,

Here's the config so far:

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname x

!

enable secret x

enable password 7 02040D4F080E

!

username x privilege 15 password x

ip subnet-zero

!

!

ip name-server 192.111.39.1

ip name-server 192.111.39.4

!

!

!

!

!

!

!

!

!

!

!

!

mta receive maximum-recipients 0

!

!

!

!

interface FastEthernet0/0

ip address 194.125.x.x 255.255.255.0

duplex auto

speed auto

no cdp enable

!

interface Serial0/0

description leased line to bob

bandwidth 128000

ip address 193.x.x.x 255.255.255.252

ip nat outside

no ip mroute-cache

shutdown

fair-queue

!

interface FastEthernet0/1

ip address 192.168.0.10 255.255.255.0

ip access-group 101 in

no ip proxy-arp

ip nat inside

no ip route-cache

no ip mroute-cache

duplex auto

speed auto

no cdp enable

!

ip default-gateway 193.x.x.x

ip nat inside source list 102 interface Serial0/0 overload

ip classless

ip default-network 194.125.0.0

ip route 0.0.0.0 0.0.0.0 193.x.x.x

ip route 194.125.2.0 255.255.255.0 193.x.x.x

no ip http server

ip pim bidir-enable

!

!

access-list 101 deny igrp any host 255.255.255.255

access-list 101 permit ip any any

access-list 101 deny udp any any eq netbios-ns

access-list 101 deny udp any any eq netbios-dgm

access-list 102 permit ip any any

!

no call rsvp-sync

!

!

mgcp profile default

!

dial-peer cor custom

!

!

!

!

line con 0

exec-timeout 0 0

line aux 0

line vty 0 4

  • Other Security Subjects
2 REPLIES
New Member

Re: Help with ACL's

Hi Chris,

seems you have not yet implemented much alcs on Cisco systems. The entry "access-list 101 permit ip any any" must be the last in your acl because of permission of all ip packets all other entries would not be checked.

Build your access-list on the "inside" interface incomming in the way that you only permit wanted traffic and deny all the other.

In the second step build an access-list incomming on the "outside" interface and deny all private ip-addresses, broadcasts, multicasts etc. and permit all wanted traffic.

Also deny telnet and webserver on the outside interface.

Security is complex. Be aware of what you are doing.

Hope this helps you.

Best regards

Norbert

New Member

Re: Help with ACL's

Thanks Norbert. You are correct in your assumption that I haven't any experience with ACL's, hence the newbie comment. :)

Your response helped immensely. I have a few questions though (and they might seem a bit ridiculous to the more experienced).

When you say "inside" interface are you refering to the internal network interface (192.168.0.0) ? Is the "outside" interface the serial interface?

Does it matter what order the allowed traffic is listed other than before the deny all acl?

87
Views
0
Helpful
2
Replies
This widget could not be displayed.