Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Internet connection access list?

Does anyone have an example of a standard, or generally accepted access list to apply to the outside interface of my internet router? I'm running IOS firewall and doing NAT with it and I thought I had a good idea of what to include in my "access-list xxx in" on the serial interface connected to the Internet, but when I do, I lose Internet service for my internal networks. I want some generally accepted protections from "the big, scary internet" but I also want Internet usage to work transparently.

Any advice or examples would be appreciated!

Thanks!!

3 REPLIES
New Member

Re: Internet connection access list?

The generally accepted policy for inbound traffic is to deny everything exept what is necessary for your business. If you don't offer any services to 'Internet' users, your access-list should deny all.

An outbound access list should state what users are allowed to do on the Internet.

Re: Internet connection access list?

This link should help: http://www.merit.edu/~ipma/docs/help.html

It's a list of networks that ISPs usually block. Also, don't forget to block IPs with a source IP of your network from entering your network (ie prevent IP spoofing).

So in general, the first part of the acl should be the general denies (for example as per the provided link), the second part of the acl should be what you want to allow into your network, and the last part should be the "deny ip any any log" statement. Only allow what is necessary for your company, deny the rest.

Example:

access-list 110 deny ip host 0.0.0.0 any log

access-list 110 deny ip any 255.255.255.128 0.0.0.127 log

access-list 110 deny ip 0.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 log

access-list 110 deny ip 10.0.0.0 0.255.255.255 log

access-list 110 deny ip 127.0.0.0 0.255.255.255 any log

access-list 110 deny ip 172.16.0.0 0.15.255.255 log

access-list 110 deny ip 192.168.0.0 0.0.255.255 log

access-list 110 deny ip 223.255.255.0 0.0.0.255 255.255.255.0 0.0.0.255 log

access-list 110 deny ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255 log

access-list 110 deny ip x.x.x.64 0.0.0.31 any log (your networks IP)

access-list 110 permit tcp any host x.x.x.69 eq 443

access-list 110 permit tcp any host x.x.x.74 eq smtp

access-list 110 permit tcp any eq ftp-data host x.x.x.74

access-list 110 deny ip any any log

Nanog is a good resource for this short of thing.

Hope it helps.

Steve

New Member

Re: Internet connection access list?

Here's an interesting document I found on the subject.

http://www.cymru.com/Documents/secure-ios-template.html

Hope it helps.

Thomas

89
Views
0
Helpful
3
Replies
CreatePlease to create content