Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
232
Views
0
Helpful
2
Replies

IOS FIrewall security tips

mpolce2
Level 1
Level 1

‎01-17-2003 11:26 AM - edited ‎03-09-2019 01:43 AM

Looking for tips on CBAC/IOS firewall feature set for securing. Things similar to limiting connections on certain ports... denying private ranges from coming in outside interface and so on.

Thanks,

Dan

Labels:
0 Helpful
2 Replies 2

mpalardy
Level 3
Level 3

‎01-17-2003 12:48 PM

Hi Dan,

You may use a static statement on a pix to limit the number of connections and embryonic's:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/cmd_ref/s.htm#xtocid20

You may take a look to this url:

http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Internetworking:ACCESS-LIST_ARP_BOOT_DHCP

I also took this example within this newsgroup. (Thank's to Steve. I coudn't find something similar at cisco.com but I'm sure they'll have).

Example:

access-list 110 deny ip host 0.0.0.0 any log

access-list 110 deny ip any 255.255.255.128 0.0.0.127 log

access-list 110 deny ip 0.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 log

access-list 110 deny ip 10.0.0.0 0.255.255.255 log

access-list 110 deny ip 127.0.0.0 0.255.255.255 any log

access-list 110 deny ip 172.16.0.0 0.15.255.255 log

access-list 110 deny ip 192.168.0.0 0.0.255.255 log

access-list 110 deny ip 223.255.255.0 0.0.0.255 255.255.255.0 0.0.0.255 log

access-list 110 deny ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255 log

access-list 110 deny ip x.x.x.64 0.0.0.31 any log (your networks IP)

access-list 110 permit tcp any host x.x.x.69 eq 443

access-list 110 permit tcp any host x.x.x.74 eq smtp

access-list 110 permit tcp any eq ftp-data host x.x.x.74

access-list 110 deny ip any any log

Hope this help

Michael

0 Helpful

jmx2020
Level 1
Level 1

‎01-21-2003 07:52 AM

Here's a few other IOS FW features to consider applying; note that certain ones may block certain desireable networking functions, so be sure to study and test the effect of each one before you apply it.

no service cdp

no ip service tcp-small-servers

no ip service udp-small-servers

no mop enabled

no fair-queue

no ip source-route

no ip bootp server

no ip tcp selective-ack

no ip directed broadcast

no ip unreachable

0 Helpful
Customers Also Viewed These Support Documents