Learning ACL

[McCisco]

Ok, I got the router going. I need some help with ACL.
I don't want to block anything going out (from my private network to the internet)I do want to Block stuff coming in. I have been reading ablut ACL, it can get complicated quickly. Interface f0/0 is pointing toward the internet. I do know I would put these ACL on the f0/0 interface coming in. I am using the 2600 to replace my almost useless linksys. I want the 2600 to act like a firewall.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I want to block ICMP into the private network.
I want to block Telnet into the private network
I want to block FTP into the private network
I want to block TFTP into the private network
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
thanks,

 

[DanInRaleigh]

..hey McCisco..
...you need CBAC!

..did we ever determin how much flash/memory you have?

#show ver
cisco 2620 (MPC860) processor (revision 0x102) with 61440K/4096K bytes of memory

...add 61000+4000..so i have 65000..really i think i only have 64000

#show flash
[16374932 bytes used, 402280 available, 16777212 total]

..so with 64000 memory and 16 flash i have max..and can support any ios for 2600 non xm

..i remeber you had some type of memory problems..but i dont think we determined how much memory you have..

..and what IOS did you finally get working..

..since that will be your perimeter router/firewall... you need to get that cbac going

..check out the below link...with the proper firewall IOS feature set..you run this

..this is a pretty kewl tutorial with example..

..i ran NMAP against it..i liked the output..

http://www.sans.org/reading_room/whitepapers/firewalls/806.php

http://daniel-white.com

 

[segment]

access-list 101 deny tcp any any eq telnet
access-list 101 deny tcp any any eq ftp
access-list 101 deny tcp any any eq tftp
access-list 101 deny icmp any any

perl -e 'print $i=pack(c5,(40*2),sqrt(7600),(unpack(c,Q)-3+1+3+3-7),oct(104),10,oct(101));'

 

[McCisco]

Hey Dan,
I saw some stuff about CBAC this morning when I was researching the ACL stuff. I will look more @ CBAC
**************************************************
Memory - cisco 2621 (MPC860) processor (revision 0x102) with 36864K/4096K bytes of memor
Code - System image file is "flash:c2600-io3-mz.123-19.bin"
***********************************************************
sho flash - [8072264 bytes used, 8704948 available, 16777212 total]
***********************************************************
I am open for suggestions on code that will fit on the 2600
***********************************************************
Here is what I have so far for the 2600

Let me know what ya think
Thanks,
Joe

********************************************
access-list 102 deny tcp any any eq ftp
access-list 102 deny tcp any any eq ftp-data
access-list 102 deny tcp any any eq 23
access-list 102 deny icmp any any
access-list 102 deny tcp any any eq 25
access-list 102 deny tcp any any eq 22
access-list 102 deny tcp any any eq 110
access-list 102 deny tcp any any eq 143
access-list 102 permit ip any any

#############################################
DENIES IMAP TRAFFIC FROM THE INTERNET
*************************************
access-list 102 deny tcp any any eq 143
#############################################
DENIES POP3 TRAFFIC FROM THE INTERNET
*************************************
access-list 102 deny tcp any any eq 110
#############################################
DENIES SSH TRAFFIC FROM THE INTERNET
************************************
access-list 102 deny tcp any any eq 22
#############################################
DENIES FTP TRAFFIC FROM THE INTERNET
************************************
access-list 102 deny tcp any any eq ftp
access-list 102 deny tcp any any eq ftp-data
#############################################
DENIES TELNET TRAFFIC FROM THE INTERNET
**************************************
access-list 102 deny tcp any any eq 23
access-list 102 permit ip any any
#############################################
DENIES ICMP TRAFFIC FROM THE INTERNET
*************************************
access-list 102 deny icmp any any
#############################################
Denies SMTP TRAFFIC FROM THE INTERNET
*************************************
access-list 102 deny tcp any any eq 25
##############################################
IP-Directed Broadcast
*********************
The IP-directed broadcast is another service that is commonly used in Smurf attacks.
Smurf attacks send ICMP echo requests from a spoofed source address to a directed broadcast
that cause all hosts to respond to the ping echo request, creating a lot of traffic on the network.
By default on IOS version 12.0 and higher, ip directed broadcast is disabled, and if you are running
any version lower than 12.0, it is imperative that you disable IP directed broadcasts on the router by
issuing the following command in interface configuration mode:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
R1(config-if)#no ip directed-broadcast
###########################################################
bootp
*****
bootp is enabled by default, and if you are not using it, you should definitely disable it. You can use the
no ip bootp server command in global configuration mode to disable bootp on your routers:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
R1(config)# no ip bootp server
##########################################################
ip classless
************
The ip classless command is enabled on the Cisco routers by default in version 12.0 and higher.
Disable ip classless if your network does not have a subnetted range of IP addresses.
If you are subnetting a block of IP address allocated to you by the American Registry for Internet Numbers (ARIN),
you should ensure that ip classless is enabled. You can learn more about ARIN by going to

http://www.arin.net.

It allows the router to advertise the subnetted addresses to its neighbors:
~~~~~~~~~~~~~~~~~~~~~~~~~~
R1(config)#no ip classless
###########################################################
ip mask-reply
*************
By default, the ip mask-reply command is disabled on all Cisco routers. The mask replies respond to Internet Control
Message Protocol (ICMP) mask requests by sending out ICMP mask replies, and these mask replies contain important network
information.If mask replies are enabled, make sure you disable them on the router by using the no ip mask-reply command
in interface configuration mode:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
R1(config-if)#no ip mask-reply
###########################################################
IP Source Routing
*****************
IP source routing allows the sender of an IP packet to control the route that packet will take to reach the
destination endpoint. By default, IP source routing is disabled on the routers and should only be enabled
if your network needs call for it. The following command disables IP source routing on the router globally:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
R1(config)#no ip source-route
###########################################################
IP Unreachable
**************
IP unreachable messages can be used to map out the network topology, and they should be disabled on all interfaces.
You can disable IP unreachables on all interfaces by issuing the following command in interface configuration mode:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
R1(config-if)#no ip unreachables
###########################################################

 

[McCisco]

access-list 101 deny tcp any any eq tftp = error

I used
access-list 101 deny tcp any any eq 69

Will that do the same thing?

Should I be blocking incoming UDP specifically?

Thanks,
Joe

 

[segment]

dur... Apologies on that one I'm waking up drinking coffee and typing trash

access-list 100 deny udp any any eq 69



perl -e 'print $i=pack(c5,(40*2),sqrt(7600),(unpack(c,Q)-3+1+3+3-7),oct(104),10,oct(101));'

 

[McCisco]

no worries

 

[McCisco]

I am using this ACL f0/0 pointed toward the internet. I want to block ICMP traffic from the internet, but I also want to be able to ping addresses on the internet. What am I missing?

access-list 102 deny icmp any any

 

[castlesmadeofsand]

Echo.

Tim

 

[segment]

Best to use standards for ICMP. Not allowing your site to be pingable is not securing your infrastructure as you may think it may.

http://tinyurl.com/uscjn

Anyway...

access-list 100 deny icmp any any fragments
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any packet-too-big
access-list 100 permit icmp any any source-quench
access-list 100 permit icmp any any time-exceeded
access-list 100 deny icmp any any

perl -e 'print $i=pack(c5,(40*2),sqrt(7600),(unpack(c,Q)-3+1+3+3-7),oct(104),10,oct(101));'

 

[McCisco]

ok next questions

~ Is there a way to setup logging for the ACL so I can see what is trying to get through?
~ How do I access the log files for the router in general?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I am using these ACL and i can't ping the internet for the private side of the network.

access-list 102 deny tcp any any eq ftp
access-list 102 deny tcp any any eq ftp-data
access-list 102 deny tcp any any eq 23
access-list 102 deny tcp any any eq 25
access-list 102 deny tcp any any eq 22
access-list 102 deny tcp any any eq 110
access-list 102 deny tcp any any eq 143
access-list 102 deny udp any any eq 69
access-list 102 deny icmp any any
access-list 102 deny icmp any any fragments
access-list 102 permit icmp any any echo
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any packet-too-big
access-list 102 permit icmp any any source-quench
access-list 102 permit icmp any any time-exceeded
access-list 102 permit ip any any

 

[McCisco]

ok, I am confused --

I don't want the outside interface to respond to icmp, but I do want to be able to ping things on the internet

 

[McCisco]

thanks again Tim, I got it netween you and Dan, I will be a CCNP soon

BTW -
~ Is there a way to setup logging for the ACL so I can see what is trying to get through?
~ How do I access the log files for the router in general?

 

[McCisco]

Here is the ACL I am using thoughts, suggestions, need more?

BTW- I printed the paper on CBAC - I am going to read today.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
access-list 102 deny tcp any any eq ftp
access-list 102 deny tcp any any eq ftp-data
access-list 102 deny tcp any any eq 23
access-list 102 deny tcp any any eq 25
access-list 102 deny tcp any any eq 22
access-list 102 deny tcp any any eq 110
access-list 102 deny tcp any any eq 143
access-list 102 deny udp any any eq 69
access-list 102 deny icmp any any fragments
access-list 102 permit tcp any any established
access-list 102 deny icmp any any fragments
access-list 102 deny icmp any any echo
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any packet-too-big
access-list 102 permit icmp any any source-quench
access-list 102 permit icmp any any time-exceeded
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

[McCisco]

When I apply this ACL to this interface.

~ I can't ping past the router from the private network to the internet.
~ I can browse the web from behind the router.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
interface FastEthernet0/0
description interface facing the internet
ip address dhcp
ip access-group 102 in
no ip unreachables
duplex auto
speed auto
no cdp enable
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ACL -
access-list 102 deny tcp any any eq ftp
access-list 102 deny tcp any any eq ftp-data
access-list 102 deny tcp any any eq 23
access-list 102 deny tcp any any eq 25
access-list 102 deny tcp any any eq 22
access-list 102 deny tcp any any eq 110
access-list 102 deny tcp any any eq 143
access-list 102 deny udp any any eq 69
access-list 102 deny icmp any any fragments
access-list 102 deny icmp any any fragments
access-list 102 deny icmp any any echo
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any packet-too-big
access-list 102 permit icmp any any source-quench
access-list 102 permit icmp any any time-exceeded
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~