Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
636
Views
0
Helpful
3
Replies

Internet connection access list?

rshullaw
Level 1
Level 1

‎01-16-2003 11:03 AM - edited ‎02-20-2020 09:20 PM

Does anyone have an example of a standard, or generally accepted access list to apply to the outside interface of my internet router? I'm running IOS firewall and doing NAT with it and I thought I had a good idea of what to include in my "access-list xxx in" on the serial interface connected to the Internet, but when I do, I lose Internet service for my internal networks. I want some generally accepted protections from "the big, scary internet" but I also want Internet usage to work transparently.

Any advice or examples would be appreciated!

Thanks!!

Labels:
0 Helpful
3 Replies 3

rrbleeker
Level 1
Level 1

‎01-16-2003 11:38 AM

The generally accepted policy for inbound traffic is to deny everything exept what is necessary for your business. If you don't offer any services to 'Internet' users, your access-list should deny all.

An outbound access list should state what users are allowed to do on the Internet.

0 Helpful

steve.barlow
Level 7
Level 7

‎01-16-2003 11:43 AM

This link should help: http://www.merit.edu/~ipma/docs/help.html

It's a list of networks that ISPs usually block. Also, don't forget to block IPs with a source IP of your network from entering your network (ie prevent IP spoofing).

So in general, the first part of the acl should be the general denies (for example as per the provided link), the second part of the acl should be what you want to allow into your network, and the last part should be the "deny ip any any log" statement. Only allow what is necessary for your company, deny the rest.

Example:

access-list 110 deny ip host 0.0.0.0 any log

access-list 110 deny ip any 255.255.255.128 0.0.0.127 log

access-list 110 deny ip 0.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 log

access-list 110 deny ip 10.0.0.0 0.255.255.255 log

access-list 110 deny ip 127.0.0.0 0.255.255.255 any log

access-list 110 deny ip 172.16.0.0 0.15.255.255 log

access-list 110 deny ip 192.168.0.0 0.0.255.255 log

access-list 110 deny ip 223.255.255.0 0.0.0.255 255.255.255.0 0.0.0.255 log

access-list 110 deny ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255 log

access-list 110 deny ip x.x.x.64 0.0.0.31 any log (your networks IP)

access-list 110 permit tcp any host x.x.x.69 eq 443

access-list 110 permit tcp any host x.x.x.74 eq smtp

access-list 110 permit tcp any eq ftp-data host x.x.x.74

access-list 110 deny ip any any log

Nanog is a good resource for this short of thing.

Hope it helps.

Steve

0 Helpful

tecook
Level 1
Level 1

‎01-17-2003 10:30 AM

Here's an interesting document I found on the subject.

http://www.cymru.com/Documents/secure-ios-template.html

Hope it helps.

Thomas

0 Helpful
Customers Also Viewed These Support Documents