Solved

Cisco 7200 Router IOS 12.X Extended Access-lists/Access-groups.  Why use access group out.

Posted on 2004-08-04
4
499 Views
Last Modified: 2010-04-08
I know out is the default for an access-group.  Why.  The one argument I saw for using In sounds good why send traffic through the routing engine just to drop it any way.  If traffic is going from internal network to external host drop traffic entering Internal interface.  Why would you ever want to wait?

Also I want to have a config that denies specific ports from external to internal but allow everything else .  and block icmp echo-reply out I think

access-list 110 deny tcp any 192.168.0.0 0.0.0.255 eq 80
access-list 110 deny tcp any 192.168.0.0 0.0.0.255 eq 25
access-list 110 permit icmp any any
access-list 110 permit IP any any (temp rule until I figure what is legit inbound and can add permits)

access-list 120 deny icmp 192.168.0.10 0.0.0.0 any echo-reply
access-list 120 permit icmp any any
access-list 120 permit IP any any

access-group 110 in (applied to outside interface)
access-group 120 in (applied to internal interface)


0
Comment
Question by:richw76
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 23

Expert Comment

by:Tim Holman
ID: 11721266
Some pointers:

1) permit IP any any will include ALL udp, tcp and icmp.
2) There's an implicit deny at the end of each access-list - eg deny ip any any.  This isn't displayed in the config file.
3) access-list 120 deny icmp 192.168.0.10 0.0.0.0 any echo-reply

You may as well just deny ICMP full stop...

4)  There is a separate icmp enable command separate to the access-lists

Post up your config if you need help - I'm not quite sure what you're asking ?
0
 
LVL 1

Expert Comment

by:Bird_Dog347
ID: 11728034
Here is a named extended access-list that can be used
on a standard IOS Cisco router to act as a basic firewall.This has been tried and tested on numerous organizations
and works a treat...

Probably woudln't handle a DDoS attack :-)

IPAD is where you put your inside IP address !


remark This is the access-list to be placed on the Outside LAN interface
remark The below set the rfc1918 private exclusions
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
remark Deny Testnet
deny ip 192.0.2.0 0.0.0.255 any log
remark Deny packets from localhost, broadcast, and multicast addresses
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 255.0.0.0 0.255.255.255 any log
remark Deny packets without an IP address
deny ip host 0.0.0.0 any log
remark Prevent Spoofing on Routers FA Interfaces
deny ip host IPAD any log
deny ip host IPAD any log
deny ip host IPAD any log
remark Permit specific ICMP for ping / traceroute response
permit icmp any IPAD 0.0.0.255 net-unreachable
permit icmp any IPAD0.0.0.255 echo-reply
permit icmp any IPAD 0.0.0.255 echo
permit icmp any IPAD 0.0.0.255 host-unreachable
permit icmp any IPAD 0.0.0.255 port-unreachable
permit icmp any IPAD 0.0.0.255 packet-too-big
permit icmp any IPAD 0.0.0.255 administratively-prohibited
permit icmp any IPAD 0.0.0.255 source-quench
permit icmp any IPAD 0.0.0.255 ttl-exceeded
remark Allow specific ports access to network
permit tcp any IPAD 0.0.0.255 eq www
permit tcp any IPAD 0.0.0.255 eq 443
permit tcp any IPAD 0.0.0.255 eq smtp
permit tcp any IPAD 0.0.0.255 eq pop3
permit tcp any IPAD 0.0.0.255 eq 143
permit tcp any IPAD 0.0.0.255 eq ftp-data
permit tcp any IPAD 0.0.0.255 eq ftp
permit tcp any IPAD 0.0.0.255 eq nntp
permit tcp any IPAD 0.0.0.255 eq 8081
permit tcp any IPAD 0.0.0.255 eq domain
permit udp any IPAD 0.0.0.255 eq domain
remark Allow RADIUS Proxy Access
permit udp any IPAD 0.0.0.255 eq 1645
permit udp any IPAD 0.0.0.255 eq 1646
permit tcp any IPAD 0.0.0.255 eq 1646
remark permit PCAnywhere
permit tcp any any eq 5631
permit tcp any any eq 5632
permit udp any any eq 5631
permit udp any any eq 5632
permit tcp any any eq 65301
permit tcp any any eq 22
permit udp any any eq 65301
permit udp any any eq 22
remark Permit Established connections
permit tcp any IPAD 0.0.0.255 established
remark Permit Internal DNS Out
permit udp any eq domain any
remark Deny and log anything that doesn't comply to these rules
permit udp any any
deny ip any any log














0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 11728148
Applying an access-list out on an interface is useful when you have numerous interfaces on the router and you want to block traffic for all "inside" interfaces leaving the "outside" interface.  In this situation, only one access-list is required outbound versus an inbound access-list on all "inside" interfaces.
0
 

Author Comment

by:richw76
ID: 11788753
JFrederick29 I wish I could give you extra points for actually reading my question before you answered it ;-) Thanks that makes sense.
0

Featured Post

Business Impact of IT Communications

What are the business impacts of how well businesses communicate during an IT incident? Targeting, speed, and transparency all matter. Find out more in this infographic.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Come and listen to Percona CEO Peter Zaitsev discuss what’s new in Percona open source software, including Percona Server for MySQL (https://www.percona.com/software/mysql-database/percona-server) and MongoDB (https://www.percona.com/software/mongo-…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question