Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

871 as a nat'd, border router

I am considering using a cisco router as my gateway/border router. My

lan machines will be nat'd behind it. I have read the NSA's guide to

securing these devices and turned off all of the unnecessary services.

But I had some questions regarding the acls.

I have set an outbound acl only allowing certain ports to have outbound

access (http, ftp, etc.). My question relates to the inbound acl.

Basically, I think it should be as follows:

allow incoming udp whose source port is 53 and destination port is > 1024

allow tcp established

deny ip any any log

for my udp rule, I have additional udp ports that need to be forwarded

through, not to initiate 'connections' but I need to get responses on

certain ports. For example I need a udp range to be able to use some

video/voice equipment and need to get replies in that range.

Is there a 'best practice' way to set this up? Do I just need to allow

all the udp ports that I am using inbound access? I am assuming that an

incoming udp response that doesn't have the same source/dest ports from

the same ip will be dropped but what about someone sniffing/spoofing my

traffic.

1 REPLY
Bronze

Re: 871 as a nat'd, border router

Just a suggestion, use reflexive lists on a border router.

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00804fde4d.html

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00800ca7c3.html#wp1000929

Those are good links to start with to learn about this stuff. I used to have an 871 (now have an 1811) and the 871 does most of the stuff in that guide no problem. The only warning I have is turning on ip inspect on an 871; it'll kill your throughput.

The big, and unsafe part of using "allow tcp established" is that any competent hacker can change a TCP packet to set the established bit to "1". So just leaving that open is insecure. More secure than just "permit tcp any any", but still more insecure than it needs to be.

And to answer your question, just like with TCP, UDP will respond on the port that you sent it from.

For simplicity sake, think of UDP like TCP; just connectionless.

Best practice from what I've heard is to use reflexive lists on border routers (in your case, this would be fa0). Then apply an ingress VACL on VLAN 1 (or whatever other VLANs are on your 871).

104
Views
0
Helpful
1
Replies
CreatePlease login to create content