Router ACL Security

vzrogers · Oct 19, 2005

Using a router ACL to add additional security to a network. I have some public web server and ftp server. I want to restrict as much as possible so only the incoming traffic specified is allowed to those public web/ftp servers, and all other hosts have only the ability to access Internet sites. Does anyone have any suggestions to make the config below more secure????

Here is the existing router config (please note I have blocked out some IP addresses or portions of IP addresses using "x"'s):

Router#sh run
Building configuration...

Current configuration : 10092 bytes
!

!
version 12.2
no service pad
service tcp-keepalives-in
service timestamps debug datetime msec
service timestamps log datetime

!
hostname Router
!
logging queue-limit 100
logging buffered 4096 debugging

ip subnet-zero
no ip source-route
!
!
ip name-server x.x.x.X
ip name-server x.x.x.x
!
no ip bootp server
!
!
!
!
interface FastEthernet0/0
description connection to Customer LAN
ip address 121.x.x.1 255.x.x.x
ip access-group 103 in
no ip redirects
no ip unreachables
no ip proxy-arp
speed auto
no cdp enable
!
interface Serial0/0
description connection to Location1
bandwidth 1536
ip address 121.x.x.50 255.255.x.x
ip access-group 101 in
encapsulation ppp
no fair-queue
service-module t1 remote-alarm-enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
no ip http server
!
!

access-list 101 deny 53 any any
access-list 101 deny 55 any any
access-list 101 deny 77 any any
access-list 101 deny pim any any
access-list 101 deny ip 121.x.x.0 0.0.0.63 any log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 permit icmp host x.x.x.x host 121.x.x.3 echo
access-list 101 permit icmp host x.x.x.x host 121.x.x.4 echo
access-list 101 permit icmp host x.x.x.x host 121.x.x.5 echo
access-list 101 permit icmp host x.x.x.x host 121.x.x.6 echo
access-list 101 permit icmp host x.x.x.x host 121.x.x.7 echo
access-list 101 permit icmp host x.x.x.x host 121.x.x.8 echo
access-list 101 permit icmp host x.x.x.x host 12.x.x.9 echo
access-list 101 permit tcp any host 121.x.x.3 eq www
access-list 101 permit tcp any host 121.x.x.3 eq 443
access-list 101 permit tcp any host 121.x.x.3 range ftp-data ftp
access-list 101 permit tcp any host 121.x.x.3 eq smtp
access-list 101 permit udp any host 121.x.x.3 eq 80
access-list 101 permit udp any host 121.x.x.3 eq 443
access-list 101 permit udp any host 121.x.x.3 range 20 21
access-list 101 permit udp any host 121.x.x.3 eq 25
access-list 101 permit udp any host 121.x.x.4 eq 80
access-list 101 permit udp any host 121.x.x.4 eq 443
access-list 101 permit tcp any host 121.x.x.4 eq www
access-list 101 permit tcp any host 121.x.x.4 eq 443
access-list 101 permit tcp any host 121.x.x.5 eq www
access-list 101 permit tcp any host 121.x.x.5 eq 443
access-list 101 permit udp any host 121.x.x.5 eq 80
access-list 101 permit udp any host 121.x.x.5 eq 443
access-list 101 permit tcp any host 121.x.x.6 eq www
access-list 101 permit tcp any host 121.x.x.6 eq 443
access-list 101 permit udp any host 121.x.x.6 eq 80
access-list 101 permit udp any host 121.x.x.6 eq 443
access-list 101 permit tcp any host 121.x.x.8 eq www
access-list 101 permit tcp any host 121.x.x.8 eq 443
access-list 101 permit tcp any host 121.x.x.8 range ftp-data 22
access-list 101 permit udp any host 121.x.x.8 eq 80
access-list 101 permit udp any host 121.x.x.8 eq 443
access-list 101 permit udp any host 121.x.x.8 range 20 22
access-list 101 permit tcp any host 121.x.x.9 eq www
access-list 101 permit tcp any host 121.x.x.9 eq 443
access-list 101 permit udp any host 121.x.x.9 eq 80
access-list 101 permit udp any host 121.x.x.9 eq 443
access-list 101 deny tcp any any eq www
access-list 101 deny udp any any eq 80
access-list 101 deny tcp any any eq 443
access-list 101 deny udp any any eq 443
access-list 101 deny tcp any any range ftp-data ftp
access-list 101 deny udp any any range 20 21
access-list 101 deny tcp any any eq smtp
access-list 101 deny udp any any eq 25
access-list 101 deny tcp any any range 989 990
access-list 101 deny udp any any range 989 990
access-list 101 deny tcp any any range 1050 1060
access-list 101 deny udp any any range 1050 1060
access-list 101 deny icmp any host 121.x.x..3 echo
access-list 101 deny icmp any host 121.x.x..4 echo
access-list 101 deny icmp any host 121.x.x..5 echo
access-list 101 deny icmp any host 121.x.x..6 echo
access-list 101 deny icmp any host 121.x.x..7 echo
access-list 101 deny icmp any host 121.x.x..8 echo
access-list 101 deny icmp any host 121.x.x..9 echo
access-list 101 deny udp any any eq snmp
access-list 101 deny udp any any eq snmptrap
access-list 101 deny tcp any any eq 135
access-list 101 deny udp any any eq 135
access-list 101 deny tcp any any eq 139
access-list 101 deny udp any any eq netbios-ss
access-list 101 deny tcp any any eq 137
access-list 101 deny udp any any eq netbios-ns
access-list 101 deny tcp any any eq 445
access-list 101 deny udp any any eq 445
access-list 101 deny tcp any any eq 1025
access-list 101 deny udp any any eq 1025
access-list 101 deny tcp any any eq 1433
access-list 101 deny udp any any eq 1433
access-list 101 deny tcp any any eq 2745
access-list 101 deny udp any any eq 2745
access-list 101 deny tcp any any eq 5000
access-list 101 deny udp any any eq 5000
access-list 101 permit ip any any
access-list 103 deny 53 any any
access-list 103 deny 55 any any
access-list 103 deny 77 any any
access-list 103 deny pim any any
access-list 103 deny tcp any any eq 135
access-list 103 deny udp any any eq 135
access-list 103 deny tcp any any eq 139
access-list 103 deny udp any any eq netbios-ss
access-list 103 deny tcp any any eq 137
access-list 103 deny udp any any eq netbios-ns
access-list 103 deny tcp any any eq 445
access-list 103 deny udp any any eq 445
access-list 103 deny tcp any any eq 1025
access-list 103 deny udp any any eq 1025
access-list 103 deny tcp any any eq 1433
access-list 103 deny udp any any eq 1433
access-list 103 deny tcp any any eq 2745
access-list 103 deny udp any any eq 2745
access-list 103 deny tcp any any eq 5000
access-list 103 deny udp any any eq 5000
access-list 103 permit ip any any

end

Router#

ChrisAC · Oct 19, 2005

access-list 101 permit udp any host 121.x.x.3 eq 443
access-list 101 permit udp any host 121.x.x.3 range 20 21
access-list 101 permit udp any host 121.x.x.3 eq 25
access-list 101 permit udp any host 121.x.x.4 eq 80
access-list 101 permit udp any host 121.x.x.4 eq 443

UDP? What runs on UDP 443,21,25 and 80?

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

vzrogers · Oct 20, 2005

Nothing...thanks for pointing that out.

Anything else?

ChrisAC · Oct 20, 2005

Take out anything that is not required! Only allow what is needed and then drop everything else. That's the most secure approach that you could go with.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Router ACL Security

vzrogers

MIS

ChrisAC

ISP

vzrogers

MIS

ChrisAC

ISP

Similar threads

Part and Inventory Search

Sponsor