Securing Network with Router ACL

vzrogers · Sep 12, 2005

Hello,

We are a small company with a managed Cisco Router. We do not have the budget to add a Firewall just yet, and I'd like to instruct my ISP to modify the Router's Access-list to block potentially harmful traffic in the interim, basically to act as a firewall.

I need this T1 for 2 reasons; 1 is to allow employees to access the internet, and 2 is to host some web sites and ftp servers. Everything else I would want blocked to safeguard the network.

I do not know enough to be able to tell if my ISP has configured the router in a way where my netowrk is protected, or what to ask of them to improve this if possible.

Here is the existing router config (please note I have blocked out some IP addresses or portions of IP addresses using "x"'s):

Router#sh run
Building configuration...

Current configuration : 10092 bytes
!

!
version 12.2
no service pad
service tcp-keepalives-in
service timestamps debug datetime msec
service timestamps log datetime

!
hostname Router
!
logging queue-limit 100
logging buffered 4096 debugging

ip subnet-zero
no ip source-route
!
!
ip name-server x.x.x.X
ip name-server x.x.x.x
!
no ip bootp server
!
!
!
!
interface FastEthernet0/0
description connection to Customer LAN
ip address 121.x.x.1 255.x.x.x
ip access-group 103 in
no ip redirects
no ip unreachables
no ip proxy-arp
speed auto
no cdp enable
!
interface Serial0/0
description connection to Location1
bandwidth 1536
ip address 121.x.x.50 255.255.x.x
ip access-group 101 in
encapsulation ppp
no fair-queue
service-module t1 remote-alarm-enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
no ip http server
!
!

access-list 101 deny 53 any any
access-list 101 deny 55 any any
access-list 101 deny 77 any any
access-list 101 deny pim any any
access-list 101 deny ip 121.x.x.0 0.0.0.63 any log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 permit icmp host x.x.x.x host 121.x.x.3 echo
access-list 101 permit icmp host x.x.x.x host 121.x.x.4 echo
access-list 101 permit icmp host x.x.x.x host 121.x.x.5 echo
access-list 101 permit icmp host x.x.x.x host 121.x.x.6 echo
access-list 101 permit icmp host x.x.x.x host 121.x.x.7 echo
access-list 101 permit icmp host x.x.x.x host 121.x.x.8 echo
access-list 101 permit icmp host x.x.x.x host 12.x.x.9 echo
access-list 101 permit tcp any host 121.x.x.3 eq www
access-list 101 permit tcp any host 121.x.x.3 eq 443
access-list 101 permit tcp any host 121.x.x.3 range ftp-data ftp
access-list 101 permit tcp any host 121.x.x.3 eq smtp
access-list 101 permit udp any host 121.x.x.3 eq 80
access-list 101 permit udp any host 121.x.x.3 eq 443
access-list 101 permit udp any host 121.x.x.3 range 20 21
access-list 101 permit udp any host 121.x.x.3 eq 25
access-list 101 permit udp any host 121.x.x.4 eq 80
access-list 101 permit udp any host 121.x.x.4 eq 443
access-list 101 permit tcp any host 121.x.x.4 eq www
access-list 101 permit tcp any host 121.x.x.4 eq 443
access-list 101 permit tcp any host 121.x.x.5 eq www
access-list 101 permit tcp any host 121.x.x.5 eq 443
access-list 101 permit udp any host 121.x.x.5 eq 80
access-list 101 permit udp any host 121.x.x.5 eq 443
access-list 101 permit tcp any host 121.x.x.6 eq www
access-list 101 permit tcp any host 121.x.x.6 eq 443
access-list 101 permit udp any host 121.x.x.6 eq 80
access-list 101 permit udp any host 121.x.x.6 eq 443
access-list 101 permit tcp any host 121.x.x.8 eq www
access-list 101 permit tcp any host 121.x.x.8 eq 443
access-list 101 permit tcp any host 121.x.x.8 range ftp-data 22
access-list 101 permit udp any host 121.x.x.8 eq 80
access-list 101 permit udp any host 121.x.x.8 eq 443
access-list 101 permit udp any host 121.x.x.8 range 20 22
access-list 101 permit tcp any host 121.x.x.9 eq www
access-list 101 permit tcp any host 121.x.x.9 eq 443
access-list 101 permit udp any host 121.x.x.9 eq 80
access-list 101 permit udp any host 121.x.x.9 eq 443
access-list 101 deny tcp any any eq www
access-list 101 deny udp any any eq 80
access-list 101 deny tcp any any eq 443
access-list 101 deny udp any any eq 443
access-list 101 deny tcp any any range ftp-data ftp
access-list 101 deny udp any any range 20 21
access-list 101 deny tcp any any eq smtp
access-list 101 deny udp any any eq 25
access-list 101 deny tcp any any range 989 990
access-list 101 deny udp any any range 989 990
access-list 101 deny tcp any any range 1050 1060
access-list 101 deny udp any any range 1050 1060
access-list 101 deny icmp any host 121.x.x..3 echo
access-list 101 deny icmp any host 121.x.x..4 echo
access-list 101 deny icmp any host 121.x.x..5 echo
access-list 101 deny icmp any host 121.x.x..6 echo
access-list 101 deny icmp any host 121.x.x..7 echo
access-list 101 deny icmp any host 121.x.x..8 echo
access-list 101 deny icmp any host 121.x.x..9 echo
access-list 101 deny udp any any eq snmp
access-list 101 deny udp any any eq snmptrap
access-list 101 deny tcp any any eq 135
access-list 101 deny udp any any eq 135
access-list 101 deny tcp any any eq 139
access-list 101 deny udp any any eq netbios-ss
access-list 101 deny tcp any any eq 137
access-list 101 deny udp any any eq netbios-ns
access-list 101 deny tcp any any eq 445
access-list 101 deny udp any any eq 445
access-list 101 deny tcp any any eq 1025
access-list 101 deny udp any any eq 1025
access-list 101 deny tcp any any eq 1433
access-list 101 deny udp any any eq 1433
access-list 101 deny tcp any any eq 2745
access-list 101 deny udp any any eq 2745
access-list 101 deny tcp any any eq 5000
access-list 101 deny udp any any eq 5000
access-list 101 permit ip any any
access-list 103 deny 53 any any
access-list 103 deny 55 any any
access-list 103 deny 77 any any
access-list 103 deny pim any any
access-list 103 deny tcp any any eq 135
access-list 103 deny udp any any eq 135
access-list 103 deny tcp any any eq 139
access-list 103 deny udp any any eq netbios-ss
access-list 103 deny tcp any any eq 137
access-list 103 deny udp any any eq netbios-ns
access-list 103 deny tcp any any eq 445
access-list 103 deny udp any any eq 445
access-list 103 deny tcp any any eq 1025
access-list 103 deny udp any any eq 1025
access-list 103 deny tcp any any eq 1433
access-list 103 deny udp any any eq 1433
access-list 103 deny tcp any any eq 2745
access-list 103 deny udp any any eq 2745
access-list 103 deny tcp any any eq 5000
access-list 103 deny udp any any eq 5000
access-list 103 permit ip any any

end

Router#

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Securing Network with Router ACL

vzrogers

MIS

Similar threads

Part and Inventory Search

Sponsor