01-17-2003 11:26 AM - edited 03-09-2019 01:43 AM
Looking for tips on CBAC/IOS firewall feature set for securing. Things similar to limiting connections on certain ports... denying private ranges from coming in outside interface and so on.
Thanks,
Dan
01-17-2003 12:48 PM
Hi Dan,
You may use a static statement on a pix to limit the number of connections and embryonic's:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/cmd_ref/s.htm#xtocid20
You may take a look to this url:
http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Internetworking:ACCESS-LIST_ARP_BOOT_DHCP
I also took this example within this newsgroup. (Thank's to Steve. I coudn't find something similar at cisco.com but I'm sure they'll have).
Example:
access-list 110 deny ip host 0.0.0.0 any log
access-list 110 deny ip any 255.255.255.128 0.0.0.127 log
access-list 110 deny ip 0.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 log
access-list 110 deny ip 10.0.0.0 0.255.255.255 log
access-list 110 deny ip 127.0.0.0 0.255.255.255 any log
access-list 110 deny ip 172.16.0.0 0.15.255.255 log
access-list 110 deny ip 192.168.0.0 0.0.255.255 log
access-list 110 deny ip 223.255.255.0 0.0.0.255 255.255.255.0 0.0.0.255 log
access-list 110 deny ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255 log
access-list 110 deny ip x.x.x.64 0.0.0.31 any log (your networks IP)
access-list 110 permit tcp any host x.x.x.69 eq 443
access-list 110 permit tcp any host x.x.x.74 eq smtp
access-list 110 permit tcp any eq ftp-data host x.x.x.74
access-list 110 deny ip any any log
Hope this help
Michael
01-21-2003 07:52 AM
Here's a few other IOS FW features to consider applying; note that certain ones may block certain desireable networking functions, so be sure to study and test the effect of each one before you apply it.
no service cdp
no ip service tcp-small-servers
no ip service udp-small-servers
no mop enabled
no fair-queue
no ip source-route
no ip bootp server
no ip tcp selective-ack
no ip directed broadcast
no ip unreachable
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide