Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

using acls to help defend dmz's from port scans and probes.

Status
Not open for further replies.
26331r

26331r

Technical User
Joined
Apr 26, 2000
Messages
1
Location
GB
I wonder if any one out here has implemented acl's to help combat the script kiddies performing scans and probes on devices behind a border router.
 
Sort by date Sort by votes
To do this you really have to have a good understanding of what traffic you currently have running through that border router.&nbsp;&nbsp;You can set up an ACL but must remember that DNS, mail, web, secure web, ftp&nbsp;&nbsp;and any other applications you are running to an external source will need to have data returned from the outside which means those ports to those servers have to be allowed back in.&nbsp;&nbsp;It can be done but is hard to install and manage.<br><br>Hope this helps<br>Rob Brown
 
Upvote 0 Downvote
How do you set up an ACL? Can you tell me in detailed steps?<br>
 
Upvote 0 Downvote
There is a multitude of access lists you can create.&nbsp;&nbsp;They can be used for IPX, IP, appletalk, ect...<br><br>For IP there is 2 different variances of it.&nbsp;&nbsp;You can use access lists that number from 1-99 which is a basic access list or you can do an extended access list which gives the options to specify protocol or port for incoming or outgoing access.&nbsp;&nbsp;I will give you a very basic of each and how to implement them but to go into a lot of detail would take far to long.<br><br>First you create the access list:<br>conf t<br>access list 1 permit 10.0.0.0 0.0.0.255 <br>(remember when a access list is created there is an implicit deny all statement at the end)<br><br>Now the access list has been created and must be assigned to an interface<br>conf t<br>int e0<br>access group 1 in or out (depending on which way you want it blocked)<br><br>This is saying that any address starting with 10.0.0 will be permitted access either in or out depending on what the access group is set up as.<br><br>An extended access list is as follows:<br>access 101 permit TCP 10.0.0.0 0.0.0.255 eq 80) any <br><br>and then apply it to the interface just like in the previous example.<br><br>This is basically allowing 10.0.0.??? can connect to anything using port 80 <br><br>Like I said these are real basic there is a multitude of options that you are offered but a word of warning if you try this on a production network you could lock people out (including yourself out of the router)&nbsp;&nbsp;<br><br>The implicit deny all usually gets everyone at one time or another.<br><br>Hope this helps<br>Rob Brown
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

CPM86
  • Locked
  • Question Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
566
CPM86
CPM86
jobsp90
  • Locked
  • Question Question
I have a issue in my office hospital network regarding using IPPBX software.
Replies
2
Views
533
DavetheChef
DavetheChef
B
  • Locked
  • Question Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
407
badwolf1686
B
Jared R
  • Locked
  • Question Question
Cisco UC320W Paging Help
Replies
0
Views
702
Jared R
Jared R
Zero6
  • Locked
  • Question Question
question about cisco cbs 350-12xs 12 port 10g sfp+
Replies
0
Views
509
Zero6
Zero6

Part and Inventory Search

Sponsor

Back
Top