Does anyone have a good ACL for outbound traffic to the Internet?
I think I have a pretty good firewall and inbound ACL (both Cisco SDM set up with VoiP additions) but I get the hebbie-jibbies that something will still get in and I want to kill the outbound stuff that doesn't "feel right"
Here is the inbound ACL
access-list 104 deny ip 10.0.0.0 0.0.0.255 any
access-list 104 permit icmp any any echo-reply log
access-list 104 remark ntp
access-list 104 permit udp any eq ntp any eq ntp log
access-list 104 remark tftp
access-list 104 permit udp any eq tftp any eq tftp log
access-list 104 remark sip2
access-list 104 permit udp any eq 5061 any eq 5061 log
access-list 104 remark sip
access-list 104 permit udp any eq 5060 any eq 5060 log
access-list 104 permit icmp any any time-exceeded log
access-list 104 permit icmp any any unreachable log
access-list 104 deny ip 172.16.0.0 0.15.255.255 any log
access-list 104 deny ip 192.168.0.0 0.0.255.255 any log
access-list 104 permit ip 136.209.0.0 0.0.255.255 any
access-list 104 permit ip 147.40.0.0 0.0.255.255 any log
access-list 104 permit ip 144.170.0.0 0.0.255.255 any log
access-list 104 deny ip 10.0.0.0 0.255.255.255 any log
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip host 0.0.0.0 any
access-list 104 deny ip any any
Here is the FW policy
ip inspect name rule1 cuseeme
ip inspect name rule1 esmtp timeout 10
ip inspect name rule1 fragment maximum 50 timeout 1
ip inspect name rule1 ftp
ip inspect name rule1 h323
ip inspect name rule1 http
ip inspect name rule1 icmp
ip inspect name rule1 netshow
ip inspect name rule1 rcmd
ip inspect name rule1 realaudio
ip inspect name rule1 rpc program-number 1
ip inspect name rule1 rtsp
ip inspect name rule1 sip
ip inspect name rule1 skinny
ip inspect name rule1 sqlnet
ip inspect name rule1 streamworks
ip inspect name rule1 tcp
ip inspect name rule1 tftp
ip inspect name rule1 udp
ip inspect name rule1 vdolive
Any ideas or suggestions to improve what I got and what is some good ports to block outbound?
SF18C
CCNP, MCSE, A+, N+ & HPCC
Tis better to die on your feet than live on your knees!
I think I have a pretty good firewall and inbound ACL (both Cisco SDM set up with VoiP additions) but I get the hebbie-jibbies that something will still get in and I want to kill the outbound stuff that doesn't "feel right"
Here is the inbound ACL
access-list 104 deny ip 10.0.0.0 0.0.0.255 any
access-list 104 permit icmp any any echo-reply log
access-list 104 remark ntp
access-list 104 permit udp any eq ntp any eq ntp log
access-list 104 remark tftp
access-list 104 permit udp any eq tftp any eq tftp log
access-list 104 remark sip2
access-list 104 permit udp any eq 5061 any eq 5061 log
access-list 104 remark sip
access-list 104 permit udp any eq 5060 any eq 5060 log
access-list 104 permit icmp any any time-exceeded log
access-list 104 permit icmp any any unreachable log
access-list 104 deny ip 172.16.0.0 0.15.255.255 any log
access-list 104 deny ip 192.168.0.0 0.0.255.255 any log
access-list 104 permit ip 136.209.0.0 0.0.255.255 any
access-list 104 permit ip 147.40.0.0 0.0.255.255 any log
access-list 104 permit ip 144.170.0.0 0.0.255.255 any log
access-list 104 deny ip 10.0.0.0 0.255.255.255 any log
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip host 0.0.0.0 any
access-list 104 deny ip any any
Here is the FW policy
ip inspect name rule1 cuseeme
ip inspect name rule1 esmtp timeout 10
ip inspect name rule1 fragment maximum 50 timeout 1
ip inspect name rule1 ftp
ip inspect name rule1 h323
ip inspect name rule1 http
ip inspect name rule1 icmp
ip inspect name rule1 netshow
ip inspect name rule1 rcmd
ip inspect name rule1 realaudio
ip inspect name rule1 rpc program-number 1
ip inspect name rule1 rtsp
ip inspect name rule1 sip
ip inspect name rule1 skinny
ip inspect name rule1 sqlnet
ip inspect name rule1 streamworks
ip inspect name rule1 tcp
ip inspect name rule1 tftp
ip inspect name rule1 udp
ip inspect name rule1 vdolive
Any ideas or suggestions to improve what I got and what is some good ports to block outbound?
SF18C
CCNP, MCSE, A+, N+ & HPCC
Tis better to die on your feet than live on your knees!
