[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 311
  • Last Modified:

cisco firewall access rules

Instead of having on the inside interface allow "ip any any". which ports\services should I allow so I can remove the "ip any any"? I can think of 80/443 and DNS, any other that I may need? I wouldnt want to remove the "ip any any" and then lock myself out.
0
tolinrome
Asked:
tolinrome
1 Solution
 
Robert Sutton JrSenior Network ManagerCommented:
Your question is very vague especially when we cannot see your configuration that you are referring too. Please post a "sanitized copy" of your config and tell us what your overall intent is for us to better assist you in completing this task. Thanks.
0
 
tolinromeAuthor Commented:
Its a new firewall with the default settings on the inside interface, which is "ip any any". There is no problem the way it is right now, but having "ip any any" pretty much opens it up to everything. I'm just thinking of general ports to open for common access to a few clients behind the firewall - 80/443, 53, other than that any suggestions as what to add? The reason is I do not want the "ip any any" and want to lock it down to only what is needed. But if I disable the any any I may not be able to get back in to make changes needed. Thanks.
0
 
Don JohnstonInstructorCommented:
The default doesn't allow traffic inbound other than responses to traffic generated from the inside.

So no outside initiated traffic can get inside.

But as previously stated, it's hard to say without seeing the config.
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

 
tolinromeAuthor Commented:
yes, but those responses generated from the inside need to have an acl for them to go out no?
0
 
Don JohnstonInstructorCommented:
There won't be a response to outside initiated traffic because the inside host will never receive it.
0
 
MattCommented:
Even if you allow very narrow list of ports, you are still not protected because most of todays malicious code sends data from infected client using HTTP or HTTPS and this is valid traffic for router.

One idea might be to allow only your subnet to the internet (for example 10.10.10.0/24 is your local subnet - so some weird client with its own address won't be able to access public network - I assume you have turned off "IP Proxy-arp" to prevent help from router to the clients who don't have gateway):

permit ip 10.10.10.0 255.255.255.0 any

Then if you will allow streaming traffic, iTunes, Apple etc etc you will have to open high ports for Amazon, Apple, Facebook networks...
0
 
tolinromeAuthor Commented:
Thanks for the explanation.
0

Featured Post

The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now