Solved

Basic Firewall for Cisco3620

Posted on 2004-04-05
6
285 Views
Last Modified: 2010-04-17
hi,

I am looking for some basic firewalling config for my 3620.    

I want to protect against some of the common DOS attacks and filter out a few other things
such as :  

udp, Distination Ports, 20000:50000
tcp,  Distination Ports, 20000:50000
tcp,  Distination Ports, 9999
tcp,  Distination Ports, 9000:9013
tcp,  Distination Ports, 7777:7778
udp, Distination Ports, 7777:7778


Can someone help some config examples.

Thanks

Mark Anderson
0
Comment
Question by:networkfrontier
6 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 10760717
Do you have the IOS firewall/IDS feature set?
0
 

Author Comment

by:networkfrontier
ID: 10760885
Yes,  Ver :

IOS (tm) 3600 Software (C3620-J1S3-M), Version 12.3(5b), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2004 by cisco Systems, Inc.
0
 
LVL 1

Accepted Solution

by:
whippy_bb earned 500 total points
ID: 10762444
Hi NetworkFrontier

The simpliest and quickest thing to do - before getting into the IOS firewall configs, is to create a restrictive access list like the following:

router#
router#conf t
router(config)#
router(config)#no ip source-rout
router(config)#
router(config)#access-list 100 deny ip 10.0.0.0 0.255.255.255.0 any
router(config)#access-list 100 deny ip 172.16.0.0 0.15.255.255 any
router(config)#access-list 100 deny ip 192.168.0.0 0.0.255.255 any
router(config)#access-list 100 deny tcp any any range 7777:7778
router(config)#access-list 100 deny tcp any any range 9000:9013
router(config)#access-list 100 deny tcp any any eq 9999
router(config)#access-list 100 deny tcp any any range 20000:50000
router(config)#access-list 100 deny udp any any range 7777:7778
router(config)#access-list 100 deny udp any any range 20000:50000
router(config)#access-list 100 deny ip any host 204.163.168.10
router(config)#access-list 100 deny ip any host 203.157.101.242
router(config)#access-list 100 deny ip any host 204.120.117.1
router(config)#access-list 100 permit tcp any any established
router(config)#access-list 100 permit icmp any any eq reply
router(config)#access-list 100 permit icmp any any eq time-expired
router(config)#access-list 100 permit icmp any any eq destination-unreachable
router(config)#access-list 100 deny icmp any any
router(config)#access-list 100 permit ip any any log
router(config)#
router(config)#access-list 110 permit ip 172.28.0.0 0.0.255.255 any
router(config)#access-list 110 permit ip 172.21.0.0 0.0.255.255 any
router(config)#line vty 0-4
router(config-line)#access-class 110 in
router(config)#int s0/0
router(config-if)#ip access-group 100 in
router(config-if)#int s0/1
router(config-if)#ip access-group 100 in
router(config-if)#exit
router(config)#exit
router#wr mem

This will restrict spoofed private addresses from the outside world entering your network, bloock all the ports you requested, allow only icmp reply's and then allow but log all other traffic so that you can restrict further if you require. The access 110 will restrict telnet access further to only the private IP range you have. Obviously you will need to change the IP's for the current new one's.
Regards


Whippy :)
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 6

Expert Comment

by:Pascal666
ID: 10772740
>tcp,  Distination Ports, 20000:50000

This is the majority of the dynamic ports used by TCP.  If you block these, most of your applicaions will no longer work.

-Pascal
0
 
LVL 6

Expert Comment

by:Pascal666
ID: 10772886
> IOS (tm) 3600 Software (C3620-J1S3-M), Version 12.3(5b)

This indicates you have the "Enterprise Basic" feature set.  You do not have the IOS firewall/IDS feature set.

-Pascal
0
 
LVL 1

Expert Comment

by:whippy_bb
ID: 10775110
Thanks Pascal

I wasn't thinking straight when I wrote out the access-list. You would want to enter it this way:

router(config)#access-list 100 deny ip 10.0.0.0 0.255.255.255.0 any
router(config)#access-list 100 deny ip 172.16.0.0 0.15.255.255 any
router(config)#access-list 100 deny ip 192.168.0.0 0.0.255.255 any

router(config)#access-list 100 permit tcp any any established

router(config)#access-list 100 deny tcp any any range 7777:7778
router(config)#access-list 100 deny tcp any any range 9000:9013
router(config)#access-list 100 deny tcp any any eq 9999
router(config)#access-list 100 deny tcp any any range 20000:50000
router(config)#access-list 100 deny udp any any range 7777:7778
router(config)#access-list 100 deny udp any any range 20000:50000
router(config)#access-list 100 deny ip any host 204.163.168.10
router(config)#access-list 100 deny ip any host 203.157.101.242
router(config)#access-list 100 deny ip any host 204.120.117.1
router(config)#access-list 100 permit icmp any any eq reply
router(config)#access-list 100 permit icmp any any eq time-expired
router(config)#access-list 100 permit icmp any any eq destination-unreachable
router(config)#access-list 100 deny icmp any any
router(config)#access-list 100 permit ip any any log
router(config)#access-list 100 deny ip any any log

This should make any reply packets to your users requests be accepted, but any "scans" to the upper ports will be blocked. If there are any issues with the access list, you can view the log file to see where the drops are happening.

Whippy :)
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Quality settings for cisco routers 8 57
2 Gateways (bandwidth) - One domain 7 82
Hit router interface limit 7 38
unable to set full duplex 100 on WAN interface 11 63
It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

837 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question