Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

About to apply this big ACL to the router - please examine

Status
Not open for further replies.
GeneralDzur

GeneralDzur

Technical User
Jan 10, 2005
204
US
We're about to apply this ACL to our internet-facing e1/0 port on our router. Can any of you super-brains comment on it? I've tried to organize it with the busiest ports at the beginning to reduce proc time.

If I wanted to block certain IP's, would I put those at the beginning of the ACL? for instance, I put the ICMP (ping) blocking near the end of the ACL. Is that a good idea?

If you see anything that wouldn't work, or could be organized differently, please tell me. We're basically blocking EVERYTHING coming into the network except for certain traffic.



- stephan


access-list 102

permit tcp any 192.168.7.1 0.0.0.255 est
deny ip 192.168.7.1 0.0.0.255 <--spoofed internal IP's
deny ip 207.188.7.200 any <-- real.com games download

permit tcp any any eq 80 http
permit udp any any eq 80 http

permit tcp any any eq 443 HTTPS
permit udp any any eq 443 HTTPS

permit tcp any any eq 995 POP3s
permit udp any any eq 995 POP3s

permit tcp any any eq 554 RTSP (real time stream control protocol)
permit udp any any eq 554 RTSP

TCP_apps
permit tcp any any eq 1734 unknown
permit tcp any any eq 1863 MSNP
permit tcp any any eq 1755 ms-streaming


UDP_apps
**unknown yet**

permit tcp any any eq 53 Domain Name server
permit udp any any eq 53 Domain Name server


permit udp any any eq 370 est
(codaauth2 established connections)

permit tcp any any eq 110 pop3
permit udp any any eq 110 pop3

permit tcp any any eq 3128 HTTP-proxy
permit udp any any eq 3128 HTTP-proxy

permit tcp any any eq 25 SMTP
permit udp any any eq 25 SMTP

permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
deny icmp any any

permit tcp any any eq 3075 est
(Orbix locator established connection)

permit tcp any any range 20 21 FTP control
permit udp any any eq 20 FTP data

(NetMeeting ports)
permit tcp any any eq 522 user location service
permit tcp any any eq 1503 t.120
permit tcp any any eq 1720 H.323 call setup/teardown protocol
permit tcp any any eq 1731 audio call control
permit udp any any range 5004 5005 RTP

permit tcp any any range 8000 8003 www
permit tcp any any range 8080 http

permit tcp any any eq 143 IMAP
permit udp any any eq 143 IMAP

permit tcp any any eq 194 IRC
permit udp any any eq 194 IRC

permit tcp any any eq 363 RSVP Tunnel
permit udp any any eq 363 RSVP Tunnel

permit tcp any any eq 389
(Internet Locator Service)

permit tcp any any 2393 sql-server

permit tcp any any 1434 ms-sql-m
permit udp any any 1434 ms-sql-m

permit tcp any any eq 537
(network media streaming protocol)

 
Sort by date Sort by votes
I forgot - there's an "deny tcp any any" and "deny ip any any" at the end of this ACL.
 
Upvote 0 Downvote
you put what you want to deny first...


BuckWeet
 
Upvote 0 Downvote
Always try to put DENY statements first and then PERMIT.

Reamin positive. The affect on those around you will amaze.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

B
  • Locked
  • Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
203
badwolf1686
B
CPM86
  • Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
212
CPM86
CPM86
Luzbel
  • Locked
  • Question
Connecting HVAC controller to network
Replies
0
Views
390
Luzbel
Luzbel
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
553
madwok
madwok
Zero6
  • Locked
  • Question
question about cisco cbs 350-12xs 12 port 10g sfp+
Replies
0
Views
321
Zero6
Zero6

Part and Inventory Search

Sponsor

Back
Top