Announcement

Collapse
No announcement yet.

cisco - ACL - security

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • cisco - ACL - security

    configuredf a router with 2 eth; one eth will have a public IP and the other will be having private IP
    i've done the NAT ; i've added the following extended acls and applied to eth with public IP; (ip access-group 100 in)

    access-list 1 permit 192.168.20.0 0.0.0.255 (for NAT)

    access-list 100 deny ip 10.0.0.0 0.255.255.255 any log
    access-list 100 deny ip 172.16.0.0 0.15.255.255 any log
    access-list 100 deny ip 192.168.0.0 0.0.255.255 any log
    access-list 100 deny ip any host 127.0.0.1 log
    access-list 100 deny ip 192.168.20.0 0.0.0.255 any log
    access-list 100 deny tcp any any range 60000 60020 log
    access-list 100 deny tcp any any eq 22222 log
    access-list 100 deny udp any any eq snmp log
    access-list 100 permit ip any any

    everything working fine; but i need to know what more security (ports etc) can be added to the router (cisco1700 ver 12.4) with ACLs!

    appreciate your help

  • #2
    Re: cisco - ACL - security

    Why not working the other way arround.
    Allow only the ports which are needed and deny the rest of the ports.
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: cisco - ACL - security

      i'd appreciate if you can give an example; i'm an novice
      also i'm bit confused which device the access list to be assigned
      thanks

      Comment


      • #4
        Re: cisco - ACL - security

        Jus an example:

        !--Remark -- Allow SMTP from 10.0.0.x subnet
        access-list 100 permit tcp 10.0.0.0 0.255.255.255 any 25 log
        !--- Allow http traffic from the 172.16.0.x - 172.16.15.255 subnet
        access-list 100 permit tcp 172.16.0.0 0.15.255.255 any 80 log
        !--- Deny all other traffic
        access-list 100 deny ip any any
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment

        Working...
        X