12-18-2015 03:21 PM - edited 03-05-2019 02:58 AM
Hello;
I need some help on securing certain ports in/out my network 
So i tried and tried and tried different configurations difference scenriaos far as my access-list to allow only certain ports in and out.
What i would like to do on my outside interface is have only port 7,53, 80, 443, and 8080 allowed; where as my inside internal interface i would like to have port 7,21,22,23,25,53,67,80,110,123,143,443,1500,1501, and 8080; yes i know ports by the back of my head and these are the only port i want to be allowed inside my interface so all my computers/servers can talk/share/ping/ftp etc etc to each other.
Any ideas that could help ??
Solved! Go to Solution.
 
					
				
		
12-18-2015 08:33 PM
It was my fault. I kept coping and pasting. I changed all ports order but forgot to change UDP. Let me tell you something. If you need to add a port make sure that port is permitted above deny deny and also you need to change the order.
For example, I am adding port 25. look at location of 25. It is above deny deny and also it is after two any in outbond, but between two any in inbond
ip access-list extended filter-inbond
  permit udp any eq domain any
  permit icmp any any echo-reply
  permit tcp any eq www any   established
  permit tcp any eq 443 any   established
  permit tcp any eq 8080 any  established
  permit tcp any eq 25 any  established
  deny ip any any
 
ip access-list extended filter-outbond
 permit tcp any any eq www
 permit tcp any any eq 443
 permit tcp any any eq 25
 permit tcp any any eq 8080
 permit udp any any eq domain
 permit icmp any any  echo
 deny   ip any any
************************************************************
For internal to internal , you need to config your switch. Follow step by step
connect to your switch by console. For more security create a VLAN
conf t
vlan 5
name mylan
put all active interfaces in vlan 5 and interface toward your router
shutdown all inactive interfaces
interface fa0/1
switchport access vlan 5
interface fa0/2
switchport access vlan 5
and repeat
you can use range for example
interface range fa0/1-10
switchport access vlan 10
access-list 101 permit tcp any any eq 80 
access-list 101 permit TCP any any eq 443 
access-list 101 permit tcp any any eq 8080 
access-list 101 permit tcp any any eq ftp 
access-list 101 permit tcp any any eq telnet 
access-list 101 permit tcp any any eq smtp 
access-list 101 permit tcp any any eq 22 
access-list 101 permit tcp any any eq pop3 
access-list 101 permit tcp any any eq 143 
access-list 101 permit tcp any any eq 1500 
access-list 101 permit tcp any any eq 1501 
access-list 101 permit udp any any eq 53 
access-list 101 permit udp any any eq ntp
access-list 101 permit icmp any any
vlan access-map LAN-CONTROL 10
match ip address 101
action forward
vlan access-map LAN-CONTROL 20
action drop
vlan filter LAN-CONTROL vlan-list 5
check internet and connectivity.
 
					
				
		
12-18-2015 08:35 PM
your welcome. give me your feedback.
 
					
				
		
12-18-2015 03:25 PM
Duplicate post.
12-18-2015 03:27 PM
on my side its new.. .New discussion what im looking over here; i just cleared my profile notification; good over here
 
					
				
		
12-18-2015 03:30 PM
Hello,
What do you mean by inside and outside? Specify the direction.
inside to outside which port?
outside to inside which port?
inside to inside. Do you need any control?
12-18-2015 03:37 PM
Outside interfaces:
  FastEthernet0 - Out to the Internet only (WWW,DNS,WWW2,HTTPS,ECHO)
Inside interfaces:
  FastEthernet1 - Inside to everyone
inside to outside which port - 7,53,80,443,8080
outside to inside which port - 7,53,80,443,8080
inside to inside - 7,21,22,23,25,53,67,80,110,123,143,443,1500,1501, and 8080
 
					
				
		
12-18-2015 03:46 PM
Lets try this one. This access-list allows only connection which is initiate from inside.
Try this one at first. We will go for the inside to inside.
ip  access-list extended filter-outbond
permit tcp any any eq 80 reflect CHECK-TRAFFIC
permit udp any any eq 53 reflect CHECK-TRAFFIC
permit TCP any any eq 443 reflect CHECK-TRAFFIC
permit tcp any any eq 8080 reflect CHECK-TRAFFIC
permit icmp any any eq echo
Deny ip any any
ip access-list extended filter-inbound
permit icmp any any eq echo-reply
evaluate  CHECK-TRAFFIC
Deny ip any any
interface fa0
ip access-group filter-inbound in
ip  access-group filter-outbond out
12-18-2015 04:02 PM
Thats a negative on that configuration; even with my tested computer firewall disable; still no access to the network.
!
ip access-list extended filter-inbound
 evaluate CHECK-TRAFFIC
 deny   ip any any
 permit icmp any any echo
ip access-list extended filter-outbond
 permit tcp any any eq www reflect CHECK-TRAFFIC
 permit udp any any eq domain reflect CHECK-TRAFFIC
 permit tcp any any eq 443 reflect CHECK-TRAFFIC
 permit tcp any any eq 8080 reflect CHECK-TRAFFIC
 deny   ip any any
interface FastEthernet0
 description OUT
 ip address 192.168.0.X 255.255.255.0
 ip access-group filter-inbound in
 ip access-group filter-outbound out
 
					
				
		
12-18-2015 04:37 PM
Make sure you tested the new one. I had some spelling mistakes. I fixed them.
 
					
				
		
12-18-2015 04:37 PM
edited
 
					
				
		
12-18-2015 04:39 PM
You changed the order and removed a command. Remove the all previews ones and add this one.
Try ping and browse.
ip access-list extended filter-inbond
  permit udp any eq domain any 
  permit icmp any any echo-reply
  evaluate CHECK-TRAFFIC
  deny ip any any
 
ip access-list extended filter-outbond
 permit tcp any any eq www reflect CHECK-TRAFFIC
 permit tcp any any eq 443 reflect CHECK-TRAFFIC
 permit tcp any any eq 8080 reflect CHECK-TRAFFIC
 permit udp any any eq domain
 permit icmp any any  echo
 deny   ip any any
interface FastEthernet0
 description OUT
 ip address 192.168.0.X 255.255.255.0
 ip access-group filter-inbond in
 ip access-group filter-outbond out
Give your feedback. What is you IOS version? If it does not work, I give you another one.
12-18-2015 04:39 PM
LMAO !!!! I'm sry im just buggin on how this isn't working; what you posted in the previous msg it didn't work so i thought about it and tried vice versa still didn't work; but once all is removed im back on the net..
version 12.4
Please keep them coming i got all night lmao !!!!!!!!
 
					
				
		
12-18-2015 04:52 PM
I had spelling mistake. Remove them all and try. I edited my post.
ip access-list extended filter-inbond
  permit udp any eq domain any 
  permit icmp any any echo-reply
  evaluate CHECK-TRAFFIC
  deny ip any any
 
ip access-list extended filter-outbond
 permit tcp any any eq www reflect CHECK-TRAFFIC
 permit tcp any any eq 443 reflect CHECK-TRAFFIC
 permit tcp any any eq 8080 reflect CHECK-TRAFFIC
 permit udp any any eq domain
 permit icmp any any  echo
 deny   ip any any
interface FastEthernet0
 description OUT
 ip address 192.168.0.X 255.255.255.0
 ip access-group filter-inbond in
 ip access-group filter-outbond out
12-18-2015 04:52 PM
Hey this is strange;
As i was removing one by one i was watching my network center; once i removed all the inbound rules; i have internet action; see configuration
ip access-list extended filter-inbound
ip access-list extended filter-outbond
 permit tcp any any eq www reflect CHECK-TRAFFIC
 permit tcp any any eq 443 reflect CHECK-TRAFFIC
 permit tcp any any eq 8080 reflect CHECK-TRAFFIC
 permit udp any any eq domain
 permit icmp any any echo
 deny   ip any any
interface FastEthernet0
 description OUT
 ip address 192.168.0.X 255.255.255.0
 ip access-group filter-inbound in
 ip access-group filter-outbound out
 
					
				
		
12-18-2015 05:09 PM
listen to me.
remove them all. If you you check the bold part, you will see I have spelling mistake.
no ip access-list extended filter-inbound
no ip access-list extended filter-outbond
interface FastEthernet0
no ip access-group filter-inbound in
no  ip access-group filter-outbound out
Then this one.
***************************
ip access-list extended filter-inbond
  permit udp any eq domain any 
  permit icmp any any echo-reply
  evaluate CHECK-TRAFFIC
  deny ip any any
 
ip access-list extended filter-outbond
 permit tcp any any eq www reflect CHECK-TRAFFIC
 permit tcp any any eq 443 reflect CHECK-TRAFFIC
 permit tcp any any eq 8080 reflect CHECK-TRAFFIC
 permit udp any any eq domain
 permit icmp any any  echo
 deny   ip any any
interface FastEthernet0
 description OUT
 ip address 192.168.0.X 255.255.255.0
 ip access-group filter-inbond in
 ip access-group filter-outbond out
12-18-2015 05:09 PM
Nope didn't work with that reposted configuration; What i saw was in my network center i was connected to the internet but when i try to access a website it states "This page can't be displayed" even with my firewall on my computer disabled.
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide