?
Solved

Basic Firewall for Cisco3620

Posted on 2004-04-05
6
Medium Priority
?
295 Views
Last Modified: 2010-04-17
hi,

I am looking for some basic firewalling config for my 3620.    

I want to protect against some of the common DOS attacks and filter out a few other things
such as :  

udp, Distination Ports, 20000:50000
tcp,  Distination Ports, 20000:50000
tcp,  Distination Ports, 9999
tcp,  Distination Ports, 9000:9013
tcp,  Distination Ports, 7777:7778
udp, Distination Ports, 7777:7778


Can someone help some config examples.

Thanks

Mark Anderson
0
Comment
Question by:networkfrontier
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 10760717
Do you have the IOS firewall/IDS feature set?
0
 

Author Comment

by:networkfrontier
ID: 10760885
Yes,  Ver :

IOS (tm) 3600 Software (C3620-J1S3-M), Version 12.3(5b), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2004 by cisco Systems, Inc.
0
 
LVL 1

Accepted Solution

by:
whippy_bb earned 2000 total points
ID: 10762444
Hi NetworkFrontier

The simpliest and quickest thing to do - before getting into the IOS firewall configs, is to create a restrictive access list like the following:

router#
router#conf t
router(config)#
router(config)#no ip source-rout
router(config)#
router(config)#access-list 100 deny ip 10.0.0.0 0.255.255.255.0 any
router(config)#access-list 100 deny ip 172.16.0.0 0.15.255.255 any
router(config)#access-list 100 deny ip 192.168.0.0 0.0.255.255 any
router(config)#access-list 100 deny tcp any any range 7777:7778
router(config)#access-list 100 deny tcp any any range 9000:9013
router(config)#access-list 100 deny tcp any any eq 9999
router(config)#access-list 100 deny tcp any any range 20000:50000
router(config)#access-list 100 deny udp any any range 7777:7778
router(config)#access-list 100 deny udp any any range 20000:50000
router(config)#access-list 100 deny ip any host 204.163.168.10
router(config)#access-list 100 deny ip any host 203.157.101.242
router(config)#access-list 100 deny ip any host 204.120.117.1
router(config)#access-list 100 permit tcp any any established
router(config)#access-list 100 permit icmp any any eq reply
router(config)#access-list 100 permit icmp any any eq time-expired
router(config)#access-list 100 permit icmp any any eq destination-unreachable
router(config)#access-list 100 deny icmp any any
router(config)#access-list 100 permit ip any any log
router(config)#
router(config)#access-list 110 permit ip 172.28.0.0 0.0.255.255 any
router(config)#access-list 110 permit ip 172.21.0.0 0.0.255.255 any
router(config)#line vty 0-4
router(config-line)#access-class 110 in
router(config)#int s0/0
router(config-if)#ip access-group 100 in
router(config-if)#int s0/1
router(config-if)#ip access-group 100 in
router(config-if)#exit
router(config)#exit
router#wr mem

This will restrict spoofed private addresses from the outside world entering your network, bloock all the ports you requested, allow only icmp reply's and then allow but log all other traffic so that you can restrict further if you require. The access 110 will restrict telnet access further to only the private IP range you have. Obviously you will need to change the IP's for the current new one's.
Regards


Whippy :)
0
Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

 
LVL 6

Expert Comment

by:Pascal666
ID: 10772740
>tcp,  Distination Ports, 20000:50000

This is the majority of the dynamic ports used by TCP.  If you block these, most of your applicaions will no longer work.

-Pascal
0
 
LVL 6

Expert Comment

by:Pascal666
ID: 10772886
> IOS (tm) 3600 Software (C3620-J1S3-M), Version 12.3(5b)

This indicates you have the "Enterprise Basic" feature set.  You do not have the IOS firewall/IDS feature set.

-Pascal
0
 
LVL 1

Expert Comment

by:whippy_bb
ID: 10775110
Thanks Pascal

I wasn't thinking straight when I wrote out the access-list. You would want to enter it this way:

router(config)#access-list 100 deny ip 10.0.0.0 0.255.255.255.0 any
router(config)#access-list 100 deny ip 172.16.0.0 0.15.255.255 any
router(config)#access-list 100 deny ip 192.168.0.0 0.0.255.255 any

router(config)#access-list 100 permit tcp any any established

router(config)#access-list 100 deny tcp any any range 7777:7778
router(config)#access-list 100 deny tcp any any range 9000:9013
router(config)#access-list 100 deny tcp any any eq 9999
router(config)#access-list 100 deny tcp any any range 20000:50000
router(config)#access-list 100 deny udp any any range 7777:7778
router(config)#access-list 100 deny udp any any range 20000:50000
router(config)#access-list 100 deny ip any host 204.163.168.10
router(config)#access-list 100 deny ip any host 203.157.101.242
router(config)#access-list 100 deny ip any host 204.120.117.1
router(config)#access-list 100 permit icmp any any eq reply
router(config)#access-list 100 permit icmp any any eq time-expired
router(config)#access-list 100 permit icmp any any eq destination-unreachable
router(config)#access-list 100 deny icmp any any
router(config)#access-list 100 permit ip any any log
router(config)#access-list 100 deny ip any any log

This should make any reply packets to your users requests be accepted, but any "scans" to the upper ports will be blocked. If there are any issues with the access list, you can view the log file to see where the drops are happening.

Whippy :)
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question