Solved

cisco firewall access rules

Posted on 2014-10-16
7
298 Views
Last Modified: 2014-10-16
Instead of having on the inside interface allow "ip any any". which ports\services should I allow so I can remove the "ip any any"? I can think of 80/443 and DNS, any other that I may need? I wouldnt want to remove the "ip any any" and then lock myself out.
0
Comment
Question by:tolinrome
7 Comments
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 40384304
Your question is very vague especially when we cannot see your configuration that you are referring too. Please post a "sanitized copy" of your config and tell us what your overall intent is for us to better assist you in completing this task. Thanks.
0
 
LVL 7

Author Comment

by:tolinrome
ID: 40384341
Its a new firewall with the default settings on the inside interface, which is "ip any any". There is no problem the way it is right now, but having "ip any any" pretty much opens it up to everything. I'm just thinking of general ports to open for common access to a few clients behind the firewall - 80/443, 53, other than that any suggestions as what to add? The reason is I do not want the "ip any any" and want to lock it down to only what is needed. But if I disable the any any I may not be able to get back in to make changes needed. Thanks.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40384602
The default doesn't allow traffic inbound other than responses to traffic generated from the inside.

So no outside initiated traffic can get inside.

But as previously stated, it's hard to say without seeing the config.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 7

Author Comment

by:tolinrome
ID: 40384609
yes, but those responses generated from the inside need to have an acl for them to go out no?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40384642
There won't be a response to outside initiated traffic because the inside host will never receive it.
0
 
LVL 6

Accepted Solution

by:
Matt earned 500 total points
ID: 40384643
Even if you allow very narrow list of ports, you are still not protected because most of todays malicious code sends data from infected client using HTTP or HTTPS and this is valid traffic for router.

One idea might be to allow only your subnet to the internet (for example 10.10.10.0/24 is your local subnet - so some weird client with its own address won't be able to access public network - I assume you have turned off "IP Proxy-arp" to prevent help from router to the clients who don't have gateway):

permit ip 10.10.10.0 255.255.255.0 any

Then if you will allow streaming traffic, iTunes, Apple etc etc you will have to open high ports for Amazon, Apple, Facebook networks...
0
 
LVL 7

Author Closing Comment

by:tolinrome
ID: 40384717
Thanks for the explanation.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
anyconnect password change 2 33
Radius Debug Error 16 55
Network Switches Keep Failing 8 69
access vs trunk with voice vlan 2 20
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now