06-10-2016 12:36 AM - edited 03-05-2019 04:12 AM
Doing a Lab and now I am on ACLs. What would be the standard and/or extended ACLs for my router with only 2 interfaces, gi0/1 (the side of my internal network) and gi0/0 (the side that connects to the internet)? I'm looking to secure my network the best that I can with only ACLs.
Thank you in advance!
06-10-2016 12:57 AM
Hi,
If you are specific on the security level where your router is getting connected to internet.
I suggest for extended because on extended ACL's you can permit or deny a specific TCP connection wherein on Standard ACL it's more of generic to allow or deny users based on IP addressing!!
Hope have answered your query, please mark answered if you feel I answered your query!
06-10-2016 12:13 PM
Thank you for the input Sanjay. I was looking for more specific extended ACLs rather than just use extended over standard. Anyone please add or correct me if I'm wrong but this is what I have so far:
on my gi0/0 interface (the same side as the internet) I have placed these extended ACLs and/or commands:
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any unreachable
access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 deny ip 172.16..0.0 0.15.255.255 any
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip host 0.0.0.0 any
access-list 100 deny tcp any any eq 445
access-list 100 deny tcp any any range 137 139
access-list 100 deny ip any any
!
on interface gi0/0 i will enter command:
ip access-group 100 in
For my gi0/1 (internal network side) I plan to use private addresses in the range of 192.168.0.0-192.168.255.255 so I have placed these ACLs:
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 10.0.0.0.0 0.255.255.255 any
access-list 101 deny 172.16.0.0 0.15.255.255 any
access-list 101 deny any any
!
on interface gi0/1 i will enter command:
ip access-group 101 in
06-14-2016 06:16 AM
You should secure your connection further.
In regards to ACLs, you could:
* drop special-use IPv4 addresses
* drop special-use IPv6 addresses (if using v6 as well)
* you should also only allow communication to known internal IP addresses
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide