Access-List Question

[neutec]

Hello All,
I have been adding to Access-List to my Cisco 2514 router and was wondering do I need to deny all ports and permit only what I want open? I noticed that after I addess the access-list deny tcp any any eq 23 that the telnet port is no longer found by a port scanner. I would like to do the same with all the ports that I dont use but wanted to know if it I need to add a deny rule for each port?

Thanks

 

[neoPH]

if u enable an access list on an interface, there is a deny all at the end.So I suggest u use permit for the ports u want to use and the rest will be automatically disabled unless u put permit any any at the end of the list.

 

[neutec]

I think I understand what your saying. Maybe you can help me btter my config. My router is using 12.2 with the firewall set. I currently am using nat and running a mail and web server behind the router.
My first access-list is

access-list 7 permit 192.168.100.0 0.0.0.255
then I have another access-list
access-list 101 deny icmp any any
access-list 101 deny tcp any any telnet
access-list 101 permit any any

I would like to be able to hind all my ports from the outside but allow all traffic from the inside out and back in. I also am using nat static routes for my web and mail servers

ip nat inside source static tcp 192.168.100.2 80 66.215.146.180 80

Is there a better way I should be doing this?
Would you have some good samples of a firewall set I could use as well

 

[brucebanner]

Hi,

two things :

1) if you use deny icmp any any then you will sooner or later turn into problems for your path-mtu-discovery, rather let a few icmp codes through and deny the rest of the icmp traffic, here is an example how:

access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded

2) use the word established in the acl for tcp traffic, that means that you'll send a tcp packet with syn flag and will wait for a tcp packet with the ack flag set as well (remember the three-way-handshake?)

for instance for web traffic from inside to outside

access-list permit tcp <inside subnet> any eq

http://www established

and so on

cheers#

mike

 

[cung]

neutec,

rule of thumb: never permit any any, too dangerous. Permit only what you need.

 

[neutec]

Does anyone know of some good examples for using the firewall set? I would like to tighten my security on my network if possible. I have also attached my config. If you guys could give me your opinoin on how to better the config I would appreciate it.
Thank You in advance

!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Kellyemail
!
logging queue-limit 100
no logging console
enable secret 5 $1$s7f2$AUxCUzyty83uVTnf5mS1a0
!
ip subnet-zero
!
partition flash 2 8 8
!
!
!
!
interface Ethernet0
ip address 66.215.146.174 255.255.255.128
ip nat outside
!
interface Ethernet1
ip address 192.168.100.1 255.255.255.0
ip nat inside
!
interface Serial0
no ip address
shutdown
!
interface Serial1
no ip address
shutdown
!
ip nat pool mynatpool 66.215.146.174 66.215.146.174 netmask 255.255.255.128
ip nat inside source list 7 pool mynatpool overload
ip nat inside source static tcp 192.168.100.2 25 66.215.146.174 25 extendable
ip nat inside source static tcp 192.168.100.2 80 66.215.146.174 80 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 66.215.146.129
no ip http server
!
access-list 7 permit 192.168.100.0 0.0.0.255
!
line con 0
logging synchronous
line aux 0
line vty 0 4
password *******
login
!
end