Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

using acls to help defend dmz's from port scans and probes.

Status
Not open for further replies.
26331r

26331r

Technical User
Apr 26, 2000
1
GB
I wonder if any one out here has implemented acl's to help combat the script kiddies performing scans and probes on devices behind a border router.
 
Sort by date Sort by votes
To do this you really have to have a good understanding of what traffic you currently have running through that border router.&nbsp;&nbsp;You can set up an ACL but must remember that DNS, mail, web, secure web, ftp&nbsp;&nbsp;and any other applications you are running to an external source will need to have data returned from the outside which means those ports to those servers have to be allowed back in.&nbsp;&nbsp;It can be done but is hard to install and manage.<br><br>Hope this helps<br>Rob Brown
 
Upvote 0 Downvote
How do you set up an ACL? Can you tell me in detailed steps?<br>
 
Upvote 0 Downvote
There is a multitude of access lists you can create.&nbsp;&nbsp;They can be used for IPX, IP, appletalk, ect...<br><br>For IP there is 2 different variances of it.&nbsp;&nbsp;You can use access lists that number from 1-99 which is a basic access list or you can do an extended access list which gives the options to specify protocol or port for incoming or outgoing access.&nbsp;&nbsp;I will give you a very basic of each and how to implement them but to go into a lot of detail would take far to long.<br><br>First you create the access list:<br>conf t<br>access list 1 permit 10.0.0.0 0.0.0.255 <br>(remember when a access list is created there is an implicit deny all statement at the end)<br><br>Now the access list has been created and must be assigned to an interface<br>conf t<br>int e0<br>access group 1 in or out (depending on which way you want it blocked)<br><br>This is saying that any address starting with 10.0.0 will be permitted access either in or out depending on what the access group is set up as.<br><br>An extended access list is as follows:<br>access 101 permit TCP 10.0.0.0 0.0.0.255 eq 80) any <br><br>and then apply it to the interface just like in the previous example.<br><br>This is basically allowing 10.0.0.??? can connect to anything using port 80 <br><br>Like I said these are real basic there is a multitude of options that you are offered but a word of warning if you try this on a production network you could lock people out (including yourself out of the router)&nbsp;&nbsp;<br><br>The implicit deny all usually gets everyone at one time or another.<br><br>Hope this helps<br>Rob Brown
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Jared R
  • Locked
  • Question
Cisco UC320W Paging Help
Replies
0
Views
296
Jared R
Jared R
Zero6
  • Locked
  • Question
question about cisco cbs 350-12xs 12 port 10g sfp+
Replies
0
Views
180
Zero6
Zero6
Luzbel
  • Locked
  • Question
Connecting HVAC controller to network
Replies
0
Views
235
Luzbel
Luzbel
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
314
madwok
madwok
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat 1
Replies
1
Views
457
BIS
BIS

Part and Inventory Search

Sponsor

Back
Top