cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

454
Views
0
Helpful
2
Replies
Highlighted

ACL for security reason

Hello,

 

A security question pop up in my mind and I want an advice in this way.

 

I made the ACL for intranet that I use, I want to know where is the best place to put the ACL and in which way, and why?

 

What other advice to you have for my, what other things to add to improving the security?

 

To be easy I will let the whol config and I will bold the ACL

 

Building configuration...

Current configuration : 5608 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1-ALFA
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 10
enable secret 5 *********************
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
aaa session-id common
no network-clock-participate slot 1
no network-clock-participate wic 0
no ip source-route
no ip gratuitous-arps
ip cef
!
!
!
!
no ip bootp server
login block-for 180 attempts 3 within 180
!
multilink bundle-name authenticated
!
!
username *************** password 7 ****************
archive
log config
hidekeys
!
!
!
!
ip ssh port ****** rotary 888
!
!
!
interface FastEthernet0/0
description The interface that talk with ISP
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 12
no cdp enable
no mop enabled
!
interface FastEthernet0/1
description The interface that let you to play inside
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
no ip mroute-cache
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface FastEthernet0/1.19
description The vlan from devices like printes (static)
encapsulation dot1Q 19
ip address 172.31.245.145 255.255.255.240
no cdp enable
!
interface FastEthernet0/1.29
description The vlan for something I don't know
encapsulation dot1Q 29
ip address 172.16.0.1 255.255.255.240
no cdp enable
!
interface FastEthernet0/1.55
description The vlan for play on net
encapsulation dot1Q 55
ip address 172.16.30.161 255.255.255.240
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface Dialer12
ip address negotiated
no ip redirects
no ip unreachables
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
no ip mroute-cache
dialer pool 12
dialer idle-timeout 0
dialer persistent
dialer-group 12
no cdp enable
ppp authentication pap callin
ppp pap sent-username *********** password 7 **********
ppp ipcp dns request
ppp ipcp route default
ppp ipcp address accept
!
ip forward-protocol nd
!
!
no ip http server
ip http secure-server
ip dns server
ip nat inside source list 15 interface Dialer12 overload
!
ip access-list extended NotAllowIpsToBeUseed
remark those ip are use to Block Spoof/Malicious packets
deny ip 224.0.0.0 31.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.0.255.255 any

!

!

!
ip access-list extended NotAllowToInside
remark this ACL don't allow to access well know ports to attack the internal network
deny tcp any any eq echo
deny tcp any any eq discard
deny tcp any any eq daytime
deny tcp any any eq chargen
deny tcp any any eq telnet
deny tcp any any eq finger
deny tcp any any eq 3389
deny tcp any any eq 161
deny tcp any any eq www
deny tcp any any eq 37
deny tcp any any eq 69
deny tcp any any eq ftp-data
deny tcp any any eq ftp
permit tcp any 172.16.30.160 0.0.0.15 eq 443

!

!

!
ip access-list extended fohSSH
deny tcp any any eq 22
permit tcp any any eq 8888
!
access-list 15 permit 172.16.30.160 0.0.0.15
dialer-list 12 protocol ip permit
no cdp run
!
!
!
!
control-plane
!
!
banner motd ^CIf you're not the Admin get out!!^C
!
line con 0
exec-timeout 180 0
login authentication local_auth
line aux 0
login authentication local_auth
line vty 0 4
access-class fohSSH in
rotary 888
transport input ssh
line vty 5 9
access-class fohSSH in
rotary 12
transport input ssh
line vty 10
access-class fohSSH in
login authentication local_auth
rotary 12
transport input ssh
line vty 11 15
access-class fohSSH in
rotary 12
transport input ssh
!
!
end

 

 

2 REPLIES 2
Highlighted
VIP Expert

best place to put ACL depends on which side you would like to block. possible to place them close to source.

 

example :

 

you want to block internal users to going out  - Block at inside, so less impact.

 

usere----in (router)--out

 

examples:

https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html



BB


*** Rate All Helpful Responses ***

Highlighted

ola,

 

for example I want the router to act also as a firewall, because I don't have one and I search for a good advice or guide line to know how to config my router to protect my intranet

Content for Community-Ad