Solved

Cisco 7200 Router IOS 12.X Extended Access-lists/Access-groups.  Why use access group out.

Posted on 2004-08-04
4
501 Views
Last Modified: 2010-04-08
I know out is the default for an access-group.  Why.  The one argument I saw for using In sounds good why send traffic through the routing engine just to drop it any way.  If traffic is going from internal network to external host drop traffic entering Internal interface.  Why would you ever want to wait?

Also I want to have a config that denies specific ports from external to internal but allow everything else .  and block icmp echo-reply out I think

access-list 110 deny tcp any 192.168.0.0 0.0.0.255 eq 80
access-list 110 deny tcp any 192.168.0.0 0.0.0.255 eq 25
access-list 110 permit icmp any any
access-list 110 permit IP any any (temp rule until I figure what is legit inbound and can add permits)

access-list 120 deny icmp 192.168.0.10 0.0.0.0 any echo-reply
access-list 120 permit icmp any any
access-list 120 permit IP any any

access-group 110 in (applied to outside interface)
access-group 120 in (applied to internal interface)


0
Comment
Question by:richw76
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 23

Expert Comment

by:Tim Holman
ID: 11721266
Some pointers:

1) permit IP any any will include ALL udp, tcp and icmp.
2) There's an implicit deny at the end of each access-list - eg deny ip any any.  This isn't displayed in the config file.
3) access-list 120 deny icmp 192.168.0.10 0.0.0.0 any echo-reply

You may as well just deny ICMP full stop...

4)  There is a separate icmp enable command separate to the access-lists

Post up your config if you need help - I'm not quite sure what you're asking ?
0
 
LVL 1

Expert Comment

by:Bird_Dog347
ID: 11728034
Here is a named extended access-list that can be used
on a standard IOS Cisco router to act as a basic firewall.This has been tried and tested on numerous organizations
and works a treat...

Probably woudln't handle a DDoS attack :-)

IPAD is where you put your inside IP address !


remark This is the access-list to be placed on the Outside LAN interface
remark The below set the rfc1918 private exclusions
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
remark Deny Testnet
deny ip 192.0.2.0 0.0.0.255 any log
remark Deny packets from localhost, broadcast, and multicast addresses
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 255.0.0.0 0.255.255.255 any log
remark Deny packets without an IP address
deny ip host 0.0.0.0 any log
remark Prevent Spoofing on Routers FA Interfaces
deny ip host IPAD any log
deny ip host IPAD any log
deny ip host IPAD any log
remark Permit specific ICMP for ping / traceroute response
permit icmp any IPAD 0.0.0.255 net-unreachable
permit icmp any IPAD0.0.0.255 echo-reply
permit icmp any IPAD 0.0.0.255 echo
permit icmp any IPAD 0.0.0.255 host-unreachable
permit icmp any IPAD 0.0.0.255 port-unreachable
permit icmp any IPAD 0.0.0.255 packet-too-big
permit icmp any IPAD 0.0.0.255 administratively-prohibited
permit icmp any IPAD 0.0.0.255 source-quench
permit icmp any IPAD 0.0.0.255 ttl-exceeded
remark Allow specific ports access to network
permit tcp any IPAD 0.0.0.255 eq www
permit tcp any IPAD 0.0.0.255 eq 443
permit tcp any IPAD 0.0.0.255 eq smtp
permit tcp any IPAD 0.0.0.255 eq pop3
permit tcp any IPAD 0.0.0.255 eq 143
permit tcp any IPAD 0.0.0.255 eq ftp-data
permit tcp any IPAD 0.0.0.255 eq ftp
permit tcp any IPAD 0.0.0.255 eq nntp
permit tcp any IPAD 0.0.0.255 eq 8081
permit tcp any IPAD 0.0.0.255 eq domain
permit udp any IPAD 0.0.0.255 eq domain
remark Allow RADIUS Proxy Access
permit udp any IPAD 0.0.0.255 eq 1645
permit udp any IPAD 0.0.0.255 eq 1646
permit tcp any IPAD 0.0.0.255 eq 1646
remark permit PCAnywhere
permit tcp any any eq 5631
permit tcp any any eq 5632
permit udp any any eq 5631
permit udp any any eq 5632
permit tcp any any eq 65301
permit tcp any any eq 22
permit udp any any eq 65301
permit udp any any eq 22
remark Permit Established connections
permit tcp any IPAD 0.0.0.255 established
remark Permit Internal DNS Out
permit udp any eq domain any
remark Deny and log anything that doesn't comply to these rules
permit udp any any
deny ip any any log














0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 11728148
Applying an access-list out on an interface is useful when you have numerous interfaces on the router and you want to block traffic for all "inside" interfaces leaving the "outside" interface.  In this situation, only one access-list is required outbound versus an inbound access-list on all "inside" interfaces.
0
 

Author Comment

by:richw76
ID: 11788753
JFrederick29 I wish I could give you extra points for actually reading my question before you answered it ;-) Thanks that makes sense.
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question