We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Basic Firewall for Cisco3620

networkfrontier
on
Medium Priority
314 Views
Last Modified: 2010-04-17
hi,

I am looking for some basic firewalling config for my 3620.    

I want to protect against some of the common DOS attacks and filter out a few other things
such as :  

udp, Distination Ports, 20000:50000
tcp,  Distination Ports, 20000:50000
tcp,  Distination Ports, 9999
tcp,  Distination Ports, 9000:9013
tcp,  Distination Ports, 7777:7778
udp, Distination Ports, 7777:7778


Can someone help some config examples.

Thanks

Mark Anderson
Comment
Watch Question

Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
Do you have the IOS firewall/IDS feature set?

Author

Commented:
Yes,  Ver :

IOS (tm) 3600 Software (C3620-J1S3-M), Version 12.3(5b), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2004 by cisco Systems, Inc.
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
>tcp,  Distination Ports, 20000:50000

This is the majority of the dynamic ports used by TCP.  If you block these, most of your applicaions will no longer work.

-Pascal
> IOS (tm) 3600 Software (C3620-J1S3-M), Version 12.3(5b)

This indicates you have the "Enterprise Basic" feature set.  You do not have the IOS firewall/IDS feature set.

-Pascal
Thanks Pascal

I wasn't thinking straight when I wrote out the access-list. You would want to enter it this way:

router(config)#access-list 100 deny ip 10.0.0.0 0.255.255.255.0 any
router(config)#access-list 100 deny ip 172.16.0.0 0.15.255.255 any
router(config)#access-list 100 deny ip 192.168.0.0 0.0.255.255 any

router(config)#access-list 100 permit tcp any any established

router(config)#access-list 100 deny tcp any any range 7777:7778
router(config)#access-list 100 deny tcp any any range 9000:9013
router(config)#access-list 100 deny tcp any any eq 9999
router(config)#access-list 100 deny tcp any any range 20000:50000
router(config)#access-list 100 deny udp any any range 7777:7778
router(config)#access-list 100 deny udp any any range 20000:50000
router(config)#access-list 100 deny ip any host 204.163.168.10
router(config)#access-list 100 deny ip any host 203.157.101.242
router(config)#access-list 100 deny ip any host 204.120.117.1
router(config)#access-list 100 permit icmp any any eq reply
router(config)#access-list 100 permit icmp any any eq time-expired
router(config)#access-list 100 permit icmp any any eq destination-unreachable
router(config)#access-list 100 deny icmp any any
router(config)#access-list 100 permit ip any any log
router(config)#access-list 100 deny ip any any log

This should make any reply packets to your users requests be accepted, but any "scans" to the upper ports will be blocked. If there are any issues with the access list, you can view the log file to see where the drops are happening.

Whippy :)
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.