CISCO ACCESS LIST

[melopq]

I have the following problem
i enabled PAT on my router
put
on my outside interface
acceslist 102 out
! httpd to web server(s) only
no acc 102
acc 102 permit tcp any any established
acc 102 permit tcp any any syn


acc 102 permit tcp any any eq 80
acc 102 permit udp any any eq 80
acc 102 permit tcp any any eq 81
acc 102 permit udp any any eq 81

! httpd to web server(s) only
acc 102 permit tcp any any eq 8080
acc 102 permit udp any any eq 8080

! httpd to web server(s) only
acc 102 permit tcp any any eq 25
acc 102 permit dp any any eq 25

! httpd to web server(s) only
acc 102 permit tcp any any eq 20
acc 102 permit udp any any eq 20

! httpd to web server(s) only
acc 102 permit tcp any any eq 21
acc 102 permit udp any any eq 21


! httpd to web server(s) only
acc 102 permit tcp any any eq 110
acc 102 permit udp any any eq 110

! httpd to web server(s) only
acc 102 permit tcp any any eq 60021
acc 102 permit udp any any eq 60021

! httpd to web server(s) only
acc 102 permit tcp any any eq 4899
acc 102 permit udp any any eq 4899

! httpd to web server(s) only
acc 102 permit tcp any any eq 5050
acc 102 permit udp any any eq 5050

! httpd to web server(s) only
acc 102 permit tcp any any eq 5190
acc 102 permit udp any any eq 5190

! httpd to web server(s) only
acc 102 permit tcp any any eq 5191
acc 102 permit udp any any eq 5191
! httpd to web server(s) only
acc 102 permit tcp any any eq 5192
acc 102 permit udp any any eq 5192
! httpd to web server(s) only
acc 102 permit tcp any any eq 5193
acc 102 permit udp any any eq 5193
! httpd to web server(s) only
acc 102 permit tcp any any eq 5194
acc 102 permit udp any any eq 5194

! httpd to web server(s) only
acc 102 permit tcp any any eq 443
acc 102 permit udp any any eq 443

! httpd to web server(s) only
acc 102 permit tcp any any eq 8443
acc 102 permit udp any any eq 8443
! httpd to web server(s) only
acc 102 permit tcp any any eq 65530
acc 102 permit udp any any eq 65530

acc 102 permit tcp any any eq 65531
acc 102 permit udp any any eq 65531

acc 102 permit tcp any any eq 65532
acc 102 permit udp any any eq 65532
acc 102 permit tcp any any eq 65533
acc 102 permit udp any any eq 65533
acc 102 permit tcp any any eq 65534
acc 102 permit udp any any eq 65534

acc 102 permit tcp any any eq 3389
acc 102 permit udp any any eq 3389

acc 102 permit tcp any any eq 993
acc 102 permit udp any any eq 993

acc 102 permit tcp any any eq 143
acc 102 permit udp any any eq 143

acc 102 permit tcp any any eq 53
acc 102 permit udp any any eq 53
acc 102 permit tcp any any eq 8080
acc 102 permit udp any any eq 8080
acc 102 permit icmp any any








and acc 101 in



no acc 101
! allow any established
acc 101 permit tcp any any established
acc 101 permit tcp any any syn

! filter incoming with your source address
acc 101 deny ip xxxxxx 0 0.0.0.252 0.0.0.0 255.255.255.255
!this blocks incoming packets with RFC reserved internal addresses as a source address and also some basic global filters:
! block incoming with an internal source address
acc 101 permit ip 192.168.0.0 0.0.0.255 80.86.127.106 255.255.255.252

! incoming with 127. source address

acc 101 deny ip 192.168.0.0 0.0.0.255 0.0.0.0 255.255.255.255
! incoming with 127. source address

acc 101 deny ip 127.0.0.0 0.255.255.255 0.0.0.0 255.255.255.255

! incoming with reserved address
acc 101 deny ip 10.0.0.0 0.255.255.255 0.0.0.0 255.255.255.255
acc 101 deny ip 172.16.0.0 0.15.255.255 0.0.0.0 255.255.255.255
acc 101 deny ip 192.168.0.0 0.0.255.255 0.0.0.0 255.255.255.255

! block any incoming to broadcast or network address to prevent ping amplifying
! I can do this since I'm a class C
acc 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.255 255.255.255.0
acc 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.0


! Time service
acc 101 deny udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 37

! tacacs
acc 101 deny udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 49

! Bootp
acc 101 deny udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
! tftp
acc 101 deny udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 69
! gopher
acc 101 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 70
! finger to finger server only
! httpd to web server(s) only
acc 101 permit tcp 0.0.0.0 255.255.255.255 80.86.105.3 0.0.0.0 eq 80
acc 101 permit udp 0.0.0.0 255.255.255.255 80.86.105.3 0.0.0.0 eq 80
! link
acc 101 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 87

! pop3d (right now pop email is only through dialup)
acc 101 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 110
! rpc
acc 101 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 111
acc 101 deny udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 111
! nntp
acc 101 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 119
! ntp
acc 101 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 123
acc 101 deny udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 123
! NeWS
acc 101 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 144
! snmp
acc 101 deny udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 161
! snmp (traps)
acc 101 deny udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 162
! bgp
acc 101 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 179
! irc
acc 101 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 194
! listserv (until needed)
acc 101 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 372
! other r commands
acc 101 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 512
! rlogin
acc 101 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 513
! rexec
acc 101 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 514
! lpd
acc 101 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 515
! talk
acc 101 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 517
acc 101 permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 517
! routed (no one should be getting routing info from me)
acc 101 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 520
! uucp
acc 101 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 540
! outbound ssh needs port 1022 or 1023
acc 101 permit tcp 0.0.0.0 255.255.255.255 clients.need.ing.ssh 0.0.0.0 eq 1022
acc 101 permit tcp 0.0.0.0 255.255.255.255 clients.need.ing.ssh 0.0.0.0 eq 1023
! icmp
acc 101 permit icmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

i know there is an implicit deny on acces-list
using these acc NET WORKS BADLY
if i drop access-list 101 it works fine
(i mean from lan)
so what shuld i do
10q

 

[computerhighguy]

What kind of router do you have? It better be a pretty powerful one. These access-list will bring most routers to thier knees. It requires a substantial amount of processing to do what you are attempting to do. I would suggest that you get a PIX firewall. The PIX firewall is designed for this type of packet inspection/filtering.


It is what it is!!
__________________________________
A+, Net+, I-Net+, Certified Web Master, MCP, MCSA, MCSE, CCNA, CCDA, and few others (I got bored one day)

 

[melopq]

so i I put up a pix i'll be able to permit all traffic in ???

 

[ChrisAC]

You wouldn't want to permit all traffic in! You would only permit what is required.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[melopq]

no the ideea was on the router
what kind of acc i would have or the firewall should
go between my isp an d the router
of course on the firewall I would filter traffic

 

[ccmuser]

You need to allow UDP packets greater than 1024 past your router.. You are not allowing UDP responses back through right now. Do a show ip access-list and place here..
But overall for what it appears you are trying to do. YOu want a FW.