Inbound Internet Access ACL

[jalee]

Hello All,

Does anyone have any best practices for an ACL for inbound internet access?


Also, one general question if you were to do the ACL as the first line:

access-list xxx permit ip any any

is it correct to assume any deny statements following that ACL would not matter because ACL's run on first hit (not best fit)??

Thanks for the help,

Jason Lee

 

[kbing]

There is an implicite deny any any after all lines of ACLs...but if you plan to use "access-list xxx permit ip any any" like you have there for internet access...that will open you up completely.

You won't want to do that unless you want to be allowing Internet access to your network.

 

[jalee]

What if I went more along these lines:

permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any unreachable
permit tcp any any eq 22 log
permit tcp any any eq smtp
permit udp any any eq domain
permit tcp any any eq domain
permit tcp any any eq www
permit tcp any any eq 443
permit 41 any any
deny ip any any log

Do you have any other suggestions to this?