Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
496
Views
0
Helpful
3
Replies

ACLs for My Lab

erkange005
Level 1
Level 1

‎06-10-2016 12:36 AM - edited ‎03-05-2019 04:12 AM

Doing a Lab and now I am on ACLs.  What would be the standard and/or extended ACLs for my router with only 2 interfaces, gi0/1 (the side of my internal network) and gi0/0 (the side that connects to the internet)?  I'm looking to secure my network the best that I can with only ACLs.  

Thank you in advance!

Labels:
0 Helpful
3 Replies 3

Sanjay S N
Level 1
Level 1

‎06-10-2016 12:57 AM

Hi,

If you are specific on the security level where your router is getting connected to internet.

I suggest for extended because on extended ACL's you can permit or deny a specific TCP connection wherein on Standard ACL it's more of generic to allow or deny users based on IP addressing!!

Hope have answered your query, please mark answered if you feel I answered your query!

0 Helpful

erkange005
Level 1
Level 1
In response to Sanjay S N

‎06-10-2016 12:13 PM

Thank you for the input Sanjay.  I was looking for more specific  extended ACLs rather than just use extended over standard.  Anyone please add or correct me if I'm wrong but this is what I have so far:

on my gi0/0 interface (the same side as the internet) I have placed these extended ACLs and/or commands:

access-list 100 permit icmp any any echo

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any unreachable

access-list 100 deny ip 10.0.0.0 0.255.255.255 any

access-list 100 deny ip 172.16..0.0 0.15.255.255 any

access-list 100 deny ip 192.168.0.0 0.0.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 deny ip host 0.0.0.0 any

access-list 100 deny tcp any any eq 445

access-list 100 deny tcp any any range 137 139

access-list 100 deny ip any any

!

on interface gi0/0 i will enter command:

ip access-group 100 in

For my gi0/1 (internal network side) I plan to use private addresses in the range of 192.168.0.0-192.168.255.255 so I have placed these ACLs:

access-list 101 permit ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 10.0.0.0.0 0.255.255.255 any

access-list 101 deny 172.16.0.0 0.15.255.255 any

access-list 101 deny any any

!

on interface gi0/1 i will enter command:

ip access-group 101 in

0 Helpful

t.tineo
Level 1
Level 1
In response to erkange005

‎06-14-2016 06:16 AM

You should secure your connection further. 

In regards to ACLs, you could:

* drop special-use IPv4 addresses

* drop special-use IPv6 addresses (if using v6 as well)

* you should also only allow communication to known internal IP addresses

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card