Solved

Basic Firewall for Cisco3620

Posted on 2004-04-05
6
293 Views
Last Modified: 2010-04-17
hi,

I am looking for some basic firewalling config for my 3620.    

I want to protect against some of the common DOS attacks and filter out a few other things
such as :  

udp, Distination Ports, 20000:50000
tcp,  Distination Ports, 20000:50000
tcp,  Distination Ports, 9999
tcp,  Distination Ports, 9000:9013
tcp,  Distination Ports, 7777:7778
udp, Distination Ports, 7777:7778


Can someone help some config examples.

Thanks

Mark Anderson
0
Comment
Question by:networkfrontier
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 10760717
Do you have the IOS firewall/IDS feature set?
0
 

Author Comment

by:networkfrontier
ID: 10760885
Yes,  Ver :

IOS (tm) 3600 Software (C3620-J1S3-M), Version 12.3(5b), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2004 by cisco Systems, Inc.
0
 
LVL 1

Accepted Solution

by:
whippy_bb earned 500 total points
ID: 10762444
Hi NetworkFrontier

The simpliest and quickest thing to do - before getting into the IOS firewall configs, is to create a restrictive access list like the following:

router#
router#conf t
router(config)#
router(config)#no ip source-rout
router(config)#
router(config)#access-list 100 deny ip 10.0.0.0 0.255.255.255.0 any
router(config)#access-list 100 deny ip 172.16.0.0 0.15.255.255 any
router(config)#access-list 100 deny ip 192.168.0.0 0.0.255.255 any
router(config)#access-list 100 deny tcp any any range 7777:7778
router(config)#access-list 100 deny tcp any any range 9000:9013
router(config)#access-list 100 deny tcp any any eq 9999
router(config)#access-list 100 deny tcp any any range 20000:50000
router(config)#access-list 100 deny udp any any range 7777:7778
router(config)#access-list 100 deny udp any any range 20000:50000
router(config)#access-list 100 deny ip any host 204.163.168.10
router(config)#access-list 100 deny ip any host 203.157.101.242
router(config)#access-list 100 deny ip any host 204.120.117.1
router(config)#access-list 100 permit tcp any any established
router(config)#access-list 100 permit icmp any any eq reply
router(config)#access-list 100 permit icmp any any eq time-expired
router(config)#access-list 100 permit icmp any any eq destination-unreachable
router(config)#access-list 100 deny icmp any any
router(config)#access-list 100 permit ip any any log
router(config)#
router(config)#access-list 110 permit ip 172.28.0.0 0.0.255.255 any
router(config)#access-list 110 permit ip 172.21.0.0 0.0.255.255 any
router(config)#line vty 0-4
router(config-line)#access-class 110 in
router(config)#int s0/0
router(config-if)#ip access-group 100 in
router(config-if)#int s0/1
router(config-if)#ip access-group 100 in
router(config-if)#exit
router(config)#exit
router#wr mem

This will restrict spoofed private addresses from the outside world entering your network, bloock all the ports you requested, allow only icmp reply's and then allow but log all other traffic so that you can restrict further if you require. The access 110 will restrict telnet access further to only the private IP range you have. Obviously you will need to change the IP's for the current new one's.
Regards


Whippy :)
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 6

Expert Comment

by:Pascal666
ID: 10772740
>tcp,  Distination Ports, 20000:50000

This is the majority of the dynamic ports used by TCP.  If you block these, most of your applicaions will no longer work.

-Pascal
0
 
LVL 6

Expert Comment

by:Pascal666
ID: 10772886
> IOS (tm) 3600 Software (C3620-J1S3-M), Version 12.3(5b)

This indicates you have the "Enterprise Basic" feature set.  You do not have the IOS firewall/IDS feature set.

-Pascal
0
 
LVL 1

Expert Comment

by:whippy_bb
ID: 10775110
Thanks Pascal

I wasn't thinking straight when I wrote out the access-list. You would want to enter it this way:

router(config)#access-list 100 deny ip 10.0.0.0 0.255.255.255.0 any
router(config)#access-list 100 deny ip 172.16.0.0 0.15.255.255 any
router(config)#access-list 100 deny ip 192.168.0.0 0.0.255.255 any

router(config)#access-list 100 permit tcp any any established

router(config)#access-list 100 deny tcp any any range 7777:7778
router(config)#access-list 100 deny tcp any any range 9000:9013
router(config)#access-list 100 deny tcp any any eq 9999
router(config)#access-list 100 deny tcp any any range 20000:50000
router(config)#access-list 100 deny udp any any range 7777:7778
router(config)#access-list 100 deny udp any any range 20000:50000
router(config)#access-list 100 deny ip any host 204.163.168.10
router(config)#access-list 100 deny ip any host 203.157.101.242
router(config)#access-list 100 deny ip any host 204.120.117.1
router(config)#access-list 100 permit icmp any any eq reply
router(config)#access-list 100 permit icmp any any eq time-expired
router(config)#access-list 100 permit icmp any any eq destination-unreachable
router(config)#access-list 100 deny icmp any any
router(config)#access-list 100 permit ip any any log
router(config)#access-list 100 deny ip any any log

This should make any reply packets to your users requests be accepted, but any "scans" to the upper ports will be blocked. If there are any issues with the access list, you can view the log file to see where the drops are happening.

Whippy :)
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question