Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Basic Firewall for Cisco3620

Posted on 2004-04-05
6
Medium Priority
?
300 Views
Last Modified: 2010-04-17
hi,

I am looking for some basic firewalling config for my 3620.    

I want to protect against some of the common DOS attacks and filter out a few other things
such as :  

udp, Distination Ports, 20000:50000
tcp,  Distination Ports, 20000:50000
tcp,  Distination Ports, 9999
tcp,  Distination Ports, 9000:9013
tcp,  Distination Ports, 7777:7778
udp, Distination Ports, 7777:7778


Can someone help some config examples.

Thanks

Mark Anderson
0
Comment
Question by:networkfrontier
6 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 10760717
Do you have the IOS firewall/IDS feature set?
0
 

Author Comment

by:networkfrontier
ID: 10760885
Yes,  Ver :

IOS (tm) 3600 Software (C3620-J1S3-M), Version 12.3(5b), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2004 by cisco Systems, Inc.
0
 
LVL 1

Accepted Solution

by:
whippy_bb earned 2000 total points
ID: 10762444
Hi NetworkFrontier

The simpliest and quickest thing to do - before getting into the IOS firewall configs, is to create a restrictive access list like the following:

router#
router#conf t
router(config)#
router(config)#no ip source-rout
router(config)#
router(config)#access-list 100 deny ip 10.0.0.0 0.255.255.255.0 any
router(config)#access-list 100 deny ip 172.16.0.0 0.15.255.255 any
router(config)#access-list 100 deny ip 192.168.0.0 0.0.255.255 any
router(config)#access-list 100 deny tcp any any range 7777:7778
router(config)#access-list 100 deny tcp any any range 9000:9013
router(config)#access-list 100 deny tcp any any eq 9999
router(config)#access-list 100 deny tcp any any range 20000:50000
router(config)#access-list 100 deny udp any any range 7777:7778
router(config)#access-list 100 deny udp any any range 20000:50000
router(config)#access-list 100 deny ip any host 204.163.168.10
router(config)#access-list 100 deny ip any host 203.157.101.242
router(config)#access-list 100 deny ip any host 204.120.117.1
router(config)#access-list 100 permit tcp any any established
router(config)#access-list 100 permit icmp any any eq reply
router(config)#access-list 100 permit icmp any any eq time-expired
router(config)#access-list 100 permit icmp any any eq destination-unreachable
router(config)#access-list 100 deny icmp any any
router(config)#access-list 100 permit ip any any log
router(config)#
router(config)#access-list 110 permit ip 172.28.0.0 0.0.255.255 any
router(config)#access-list 110 permit ip 172.21.0.0 0.0.255.255 any
router(config)#line vty 0-4
router(config-line)#access-class 110 in
router(config)#int s0/0
router(config-if)#ip access-group 100 in
router(config-if)#int s0/1
router(config-if)#ip access-group 100 in
router(config-if)#exit
router(config)#exit
router#wr mem

This will restrict spoofed private addresses from the outside world entering your network, bloock all the ports you requested, allow only icmp reply's and then allow but log all other traffic so that you can restrict further if you require. The access 110 will restrict telnet access further to only the private IP range you have. Obviously you will need to change the IP's for the current new one's.
Regards


Whippy :)
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 6

Expert Comment

by:Pascal666
ID: 10772740
>tcp,  Distination Ports, 20000:50000

This is the majority of the dynamic ports used by TCP.  If you block these, most of your applicaions will no longer work.

-Pascal
0
 
LVL 6

Expert Comment

by:Pascal666
ID: 10772886
> IOS (tm) 3600 Software (C3620-J1S3-M), Version 12.3(5b)

This indicates you have the "Enterprise Basic" feature set.  You do not have the IOS firewall/IDS feature set.

-Pascal
0
 
LVL 1

Expert Comment

by:whippy_bb
ID: 10775110
Thanks Pascal

I wasn't thinking straight when I wrote out the access-list. You would want to enter it this way:

router(config)#access-list 100 deny ip 10.0.0.0 0.255.255.255.0 any
router(config)#access-list 100 deny ip 172.16.0.0 0.15.255.255 any
router(config)#access-list 100 deny ip 192.168.0.0 0.0.255.255 any

router(config)#access-list 100 permit tcp any any established

router(config)#access-list 100 deny tcp any any range 7777:7778
router(config)#access-list 100 deny tcp any any range 9000:9013
router(config)#access-list 100 deny tcp any any eq 9999
router(config)#access-list 100 deny tcp any any range 20000:50000
router(config)#access-list 100 deny udp any any range 7777:7778
router(config)#access-list 100 deny udp any any range 20000:50000
router(config)#access-list 100 deny ip any host 204.163.168.10
router(config)#access-list 100 deny ip any host 203.157.101.242
router(config)#access-list 100 deny ip any host 204.120.117.1
router(config)#access-list 100 permit icmp any any eq reply
router(config)#access-list 100 permit icmp any any eq time-expired
router(config)#access-list 100 permit icmp any any eq destination-unreachable
router(config)#access-list 100 deny icmp any any
router(config)#access-list 100 permit ip any any log
router(config)#access-list 100 deny ip any any log

This should make any reply packets to your users requests be accepted, but any "scans" to the upper ports will be blocked. If there are any issues with the access list, you can view the log file to see where the drops are happening.

Whippy :)
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question