Hi Guys,
I have setup my Cisco routers to have the following basic configuration:
ip inspect name FIREWALL tcp
ip inspect name FIREWALL udp
ip inspect name FIREWALL icmp
!
interface Dialer1
ip inspect FIREWALL out
ip access-group FIREWALL-ACL in
!
ip access-list extended FIREWALL-ACL
permit tcp any any eq 22
permit esp any any
permit udp any any eq isakmp
permit gre any any
deny tcp any any
deny udp any any
deny ip any any
However whilst this allows for a site to site VPN, remote SSH access, and clients to punch a way through the firewall. It is unable to allow the router its self to do a DNS lookup or fetch a new IOS over FTP, how can I allow this through with out opening excess holes that may only be used for such small tasks occasionally.
Also is there anything else I should add to help secure the routers from DOS attacks etc?
Many Thanks!