ā05-24-2012 11:34 PM - edited ā03-04-2019 04:28 PM
Hi Expert,
I am using private ip range in my organization network.
we have taken public pool from ISP & also we have apnic pool for internet use.
Now I am confuse that what I should allow in ACL applied on Internet router interface connected to ISP , so there would not be any loop hole for attacker..
There is BGP neighbourship between my internet router & ISP router.
Regards,
Surya.
Solved! Go to Solution.
ā05-25-2012 01:56 AM
Hello Surya,
the inbound ACL should provide for :
support of the eBGP session with SP two lines are needed as the BGP well known port may be on your side on the other.
access-list 101 permit tcp host
access-list 101 permit tcp host
You should deny traffic with a source that belongs to RFC 1918 private addresses or coming from your own public IP address pool ( to avoid spoofing attacks)
access-list 101 remark RFC 1918 filtering
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 remark anti spoofing
access-list 101 deny ip
access-list 101 deny ip
You can permit ICMP
access-list 101 permit icmp any any
To permit only TCP sessions that have been started from internal network you can use
access-list 101 permit tcp any any established
allowing UDP
access-list 101 permit udp any any
You can end with a deny with log option in order to keep trace of what hits the last deny
access-list 101 deny ip any any log
Hope to help
Giuseppe
ā05-25-2012 01:56 AM
Hello Surya,
the inbound ACL should provide for :
support of the eBGP session with SP two lines are needed as the BGP well known port may be on your side on the other.
access-list 101 permit tcp host
access-list 101 permit tcp host
You should deny traffic with a source that belongs to RFC 1918 private addresses or coming from your own public IP address pool ( to avoid spoofing attacks)
access-list 101 remark RFC 1918 filtering
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 remark anti spoofing
access-list 101 deny ip
access-list 101 deny ip
You can permit ICMP
access-list 101 permit icmp any any
To permit only TCP sessions that have been started from internal network you can use
access-list 101 permit tcp any any established
allowing UDP
access-list 101 permit udp any any
You can end with a deny with log option in order to keep trace of what hits the last deny
access-list 101 deny ip any any log
Hope to help
Giuseppe
ā05-25-2012 12:16 PM
Hello expert
I got an ssue, i have a vpn site to site between sr520 and rv042, and I would like to allow complete traffic between these two offices, or almost complete trafic, because behing sr520 a got an IPPBX directly connected, and on the other site RV042 I got several remote IP extentions.
IĀ“ve tryed with an extended access-list between my lan on sr520 and remotes rv042 lan, with no results
How can I make this work?
Thank you very much best regards!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide