Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Securing Router with ACL ?????

Hi Dear Frinds.

Most probabaly Our Apnic membership will be over next week. So our BGP AS number will bi disabled. for time duration we renew or membership.

So i want to ask we are using preifix list for our gatway router to secure it on internet.

Now we have only one option for the time being that we will use Static routes with our UP Stream. and secure our router with ACL.

How can i do that plz paste ad template of confug example. and any helping DOc.

Thanks and Regards

Afzaal Qadir

4 REPLIES
Bronze

Re: Securing Router with ACL ?????

Re: Securing Router with ACL ?????

Hi Afzaal,

As far as i can understand, you mean that you are using prefix-list to filter BGP routes.

To use static routing rather than BGP, just on your router using default route to your provider and then using static routes on your provider side to return back the traffic to the LAN ips your provider supplied to you is what you need to do routing, prefix-list is of no use here.

Using ACL on the internet interface is always used to secure your network whether you are using your IPs or your provider IPs, ACL are packet filtering mechanisms used to filter unwanted packets.

HTH, please do rate all helpful replies,

Mohammed Mahmoud.

New Member

Re: Securing Router with ACL ?????

Hi

Thanks for the Ans and suggestions.

I will implement this ACL My BGP and AS number will be invalid for us. and when we use Static routes to our Upstram service provider.

10 deny ip 127.0.0.0 0.255.255.255 any

20 deny ip 10.0.0.0 0.255.255.255 any

30 deny ip 172.16.0.0 0.15.255.255 any

40 deny ip 192.168.0.0 0.0.255.255 any

50 deny ip 169.223.0.0 0.0.255.255 any

60 deny ip 211.255.0.0 0.0.31.255 any

70 permit ip any any

kindly Suggest If u think there shoul bi any improvment is requird . I wll welcome it and apprictae. it

Thanks in advance for suggestion.

Afzaal Qadir.

Re: Securing Router with ACL ?????

Hi Afzaal,

Perfect, and you might want to deny some suspicious ports according to your needs (always make sure that you are not denying ports that your applications or user need, and always make sure that the permit any any is there in the end of your ACL):

example:

access-list x deny tcp any any eq 4444

access-list x deny udp any any eq 1433

access-list x deny udp any any eq 1434

access-list x deny tcp any any eq 1433

access-list x deny tcp any any eq 1434

access-list x deny tcp any any eq 135

access-list x deny udp any any eq 135

access-list x deny udp any any eq netbios-ns

access-list x deny udp any any eq netbios-dgm

access-list x deny tcp any any eq 139

access-list x deny udp any any eq netbios-ss

access-list x deny tcp any any eq 445

access-list x deny udp any any eq 445

HTH, please do rate all helpful replies,

Mohammed Mahmoud.

110
Views
0
Helpful
4
Replies
CreatePlease to create content