Solved

Cisco 7200 Router IOS 12.X Extended Access-lists/Access-groups.  Why use access group out.

Posted on 2004-08-04
4
494 Views
Last Modified: 2010-04-08
I know out is the default for an access-group.  Why.  The one argument I saw for using In sounds good why send traffic through the routing engine just to drop it any way.  If traffic is going from internal network to external host drop traffic entering Internal interface.  Why would you ever want to wait?

Also I want to have a config that denies specific ports from external to internal but allow everything else .  and block icmp echo-reply out I think

access-list 110 deny tcp any 192.168.0.0 0.0.0.255 eq 80
access-list 110 deny tcp any 192.168.0.0 0.0.0.255 eq 25
access-list 110 permit icmp any any
access-list 110 permit IP any any (temp rule until I figure what is legit inbound and can add permits)

access-list 120 deny icmp 192.168.0.10 0.0.0.0 any echo-reply
access-list 120 permit icmp any any
access-list 120 permit IP any any

access-group 110 in (applied to outside interface)
access-group 120 in (applied to internal interface)


0
Comment
Question by:richw76
4 Comments
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
Some pointers:

1) permit IP any any will include ALL udp, tcp and icmp.
2) There's an implicit deny at the end of each access-list - eg deny ip any any.  This isn't displayed in the config file.
3) access-list 120 deny icmp 192.168.0.10 0.0.0.0 any echo-reply

You may as well just deny ICMP full stop...

4)  There is a separate icmp enable command separate to the access-lists

Post up your config if you need help - I'm not quite sure what you're asking ?
0
 
LVL 1

Expert Comment

by:Bird_Dog347
Comment Utility
Here is a named extended access-list that can be used
on a standard IOS Cisco router to act as a basic firewall.This has been tried and tested on numerous organizations
and works a treat...

Probably woudln't handle a DDoS attack :-)

IPAD is where you put your inside IP address !


remark This is the access-list to be placed on the Outside LAN interface
remark The below set the rfc1918 private exclusions
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
remark Deny Testnet
deny ip 192.0.2.0 0.0.0.255 any log
remark Deny packets from localhost, broadcast, and multicast addresses
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 255.0.0.0 0.255.255.255 any log
remark Deny packets without an IP address
deny ip host 0.0.0.0 any log
remark Prevent Spoofing on Routers FA Interfaces
deny ip host IPAD any log
deny ip host IPAD any log
deny ip host IPAD any log
remark Permit specific ICMP for ping / traceroute response
permit icmp any IPAD 0.0.0.255 net-unreachable
permit icmp any IPAD0.0.0.255 echo-reply
permit icmp any IPAD 0.0.0.255 echo
permit icmp any IPAD 0.0.0.255 host-unreachable
permit icmp any IPAD 0.0.0.255 port-unreachable
permit icmp any IPAD 0.0.0.255 packet-too-big
permit icmp any IPAD 0.0.0.255 administratively-prohibited
permit icmp any IPAD 0.0.0.255 source-quench
permit icmp any IPAD 0.0.0.255 ttl-exceeded
remark Allow specific ports access to network
permit tcp any IPAD 0.0.0.255 eq www
permit tcp any IPAD 0.0.0.255 eq 443
permit tcp any IPAD 0.0.0.255 eq smtp
permit tcp any IPAD 0.0.0.255 eq pop3
permit tcp any IPAD 0.0.0.255 eq 143
permit tcp any IPAD 0.0.0.255 eq ftp-data
permit tcp any IPAD 0.0.0.255 eq ftp
permit tcp any IPAD 0.0.0.255 eq nntp
permit tcp any IPAD 0.0.0.255 eq 8081
permit tcp any IPAD 0.0.0.255 eq domain
permit udp any IPAD 0.0.0.255 eq domain
remark Allow RADIUS Proxy Access
permit udp any IPAD 0.0.0.255 eq 1645
permit udp any IPAD 0.0.0.255 eq 1646
permit tcp any IPAD 0.0.0.255 eq 1646
remark permit PCAnywhere
permit tcp any any eq 5631
permit tcp any any eq 5632
permit udp any any eq 5631
permit udp any any eq 5632
permit tcp any any eq 65301
permit tcp any any eq 22
permit udp any any eq 65301
permit udp any any eq 22
remark Permit Established connections
permit tcp any IPAD 0.0.0.255 established
remark Permit Internal DNS Out
permit udp any eq domain any
remark Deny and log anything that doesn't comply to these rules
permit udp any any
deny ip any any log














0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
Comment Utility
Applying an access-list out on an interface is useful when you have numerous interfaces on the router and you want to block traffic for all "inside" interfaces leaving the "outside" interface.  In this situation, only one access-list is required outbound versus an inbound access-list on all "inside" interfaces.
0
 

Author Comment

by:richw76
Comment Utility
JFrederick29 I wish I could give you extra points for actually reading my question before you answered it ;-) Thanks that makes sense.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now