Thanks in advance for any suggestions or comments.

I am redesigning a small network and I need some help with my ACL's.

The topology of the network is as follows, outside world ->  cable modem (WAN) -> cisco 1900 series router -> switch -> LAN

I'm placing the entire internal LAN behind a NAT that is applied to the Cisco WAN side connection (GigabitEthernet0/0).  

This port on the router (GigabitEthernet0/0) is configured routed to the gateway of the cable modem. The IP address range corresponds to the IP block assigned by the ISP. This interface has ip nat outside and is assigned   access-list 100 (in) and access-list 101 (out) .

interface GigabitEthernet0/0
 ip address x.x.x.x 255.255.255.240
 ip access-group 100 in
 ip access-group 101 out
 ip nat outside
 no ip virtual-reassembly in
 duplex auto
 speed auto


The second port on the router (GigabitEthernett0/1) is configured for the internal LAN behind the NAT. It is set to ip nat inside. This interface has ip nat outside and is assigned   access-list 102 (in) and access-list 103 (out) .

interface GigabitEthernet0/1
 ip address 192.168.x.x 255.255.255.0
 ip access-group 102 in
 ip access-group 103 out
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no mop enabled

Cisco inserted the " ip virtual-reassembly in" . I must say I'm new at this, read a little.  Anyone care to comment on it's impact and need?

The NAT is overloaded on the WAN side interface.

    ip nat inside source list 1 interface GigabitEthernet0/0 overload

There are a number of public Web servers inside the NAT which have to serve the outside. Static routes are assigned to these servers and ports like:

    ip nat inside source static tcp 192.168.x.x 80 x.x.x.x 80 extendable

Everything is working on the LAN side with the entire network able to see the Internet over the NAT and the Web servers have connections to the outside world using their public IP addresses.

I am ready to begin locking the network down and I have some questions about how best to do this in this type of configuration. I know that outside world connections coming into the WAN interface should have their IP addresses processed through the ACLs before being translated by the NAT. I'm going to want to restrict a large amount of traffic at the WAN side while still allowing connectivity to the Web servers on the inside and preventing internal LAN from being exposed to the outside world. I also need to limit certain types of activities within the LAN itself.

First, some antispoofing questions. Since the entire LAN is behind the NAT I use the WAN side interface ACL inbound for this?

(from cisco)

access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 deny ip 172.16.0.0 0.15.255.255 any
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip 224.0.0.0 31.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip 169.254.0.0 0.0.255.255 any

*deny ip <your company subnet> <wildcard mask of your company subnet> any
 this needs the outside address right? The network assigned to GagabitEthernet0/0. So:

access-list 100 deny ip primaryWANaddress  255.255.255.240 any

access-list 100 permit ip any primaryWANaddress 255.255.255.240

I want to lock down all unwanted incoming traffic on the WAN side while allowing normal web traffic to/from the Web servers. So first I need to permit normal Web server traffic to get past the WAN interface and into the NAT

access-list 100 permit tcp any host publichostip eq www               (one entry for each server behind the NAT)

I'm assuming no NAT has taken place yet, so I use the domain names public IP. Correct?

I need to allow router monitoring from specific outside locations:

access-list 100 permit icmp host outside-ip host router-ip echo
access-list 100 permit udp icmp host outside-ip host router-ip  eq snmp
access-list 100 permit icmp host outside-ip host router-ip  eq snmptrap

Next I want to deny certain services from the outside world:

access-list 100 deny   tcp any any eq telnet
access-list 100 deny   tcp any any eq smtp
access-list 100 deny   tcp any any eq 69
access-list 100 deny   tcp any any eq ftp
access-list 100 deny   icmp any any echo
access-list 100 deny   udp any any eq echo
access-list 100 deny   udp any any range 135 netbios-ss
access-list 100 deny   tcp any any eq finger
access-list 100 deny   tcp any any eq gopher
access-list 100 deny   tcp any any eq cmd
access-list 100 deny   tcp any any eq pop2
access-list 100 deny   tcp any any eq lpd
access-list 100 deny   tcp any any eq 389
access-list 100 deny   tcp any any range 135 139
access-list 100 deny   tcp any any eq nntp
access-list 100 deny   tcp any any eq 3389
access-list 100 deny   tcp any any eq in
access-list 100 deny   tcp any any eq exec
access-list 100 deny   tcp any any eq kin
access-list 100 deny   tcp any any eq kshell
access-list 100 deny   udp any any eq snmp
access-list 100 deny   udp any any eq snmptrap

*access-list 100 deny   tcp any any eq www *** would this block normal return traffic to the LAN?

(What else can I safely block here?)

followed by

access-list 100 permit ip any any

This approach should allow web server traffic only into the the webservers on the LAN while denying certain types of traffic except as expressly permitted from specific locations. Then let everything else through to the NAT.

A question about TFTP (access-list 100 deny  tcp any any eq 69). I don't want to lock myself out of the router from an external management link that needs to upload or download a file. However since this is applied to the incoming on the WAN side port this would block traffic off the network from trying to initiate a TFTP session but still allow a workstation on the internal LAN to connect to the router at the LAN side network address. That connection would never cross the NAT in the first place right? I can already connect and communicate using the LAN side router address. For now I don't need to connect off network.

With regards to DNS, how do I restrict inbound DNS request queries from the WAN without interfering with normal two way traffic from behind the NAT?  All LAN side requests (from behind the NAT)  need for the response to make it back though. So you can't really block by port alone, right? I would like to control what DNS servers on the outside can be queried from behind the NAT, while pretty much denying all other DNS traffic inbound. Whats the best way to handle this?

One solution was:

access-list 100 permit ip host DNS1IP any log
access-list 100 permit ip host DNS2IP any log

but then that opens the door for any kind of traffic from those IP addresses into the network. There has to be a better solution. I found this at donelan dot com, however this was designed to allow queries both ways:

access-list 100 deny   icmp any any fragements
access-list 100 permit icmp host <Router> any packet-too-big
access-list 100 permit icmp host <DNS Server> any echo-reply
access-list 100 permit icmp host <DNS Server> any port-unreachable
access-list 100 permit udp host <DNS Server> any fragments
access-list 100 permit tcp host <DNS Server> any fragments
access-list 100 permit udp host <DNS Server> eq domain any
access-list 100 permit tcp host <DNS Server> eq domain any
access-list 100 permit udp host <DNS Server> gt 32767 any eq domain
access-list 100 permit tcp host <DNS Server> gt 32767 any eq domain

Any help here would be appreciated. In short, I want all DNS initiated from the LAN to the outside, but prevent any traffic initiated from WAN to LAN (except LAN responses).


As for the outbound on the WAN side... what would I want to restrict here? Anything? Or should this be handled on the LAN outbound? Since everything is behind the NAT, wouldn't it just cause duplicate ACL comparisons that would unnecessarily degrade router performance?

Likewise, as for the LAN side -- With all traffic being natted and a WAN side input ACL, is there any need for a LAN side inbound ACL? The only use I see for this have is controlling certain types of inter-communication activities between devices on the LAN behind the NAT right?

Filtering outbound LAN traffic - I want to restrict/control certain type of outbound activity off the LAN to the outside world.

Which computers on the LAN can have Internet Access (one per host)

access-list 103 permit tcp host LANhostip any eq www
access-list 103 permit tcp host LANhostip any eq www
access-list 103 permit tcp host LANhostip any eq www
access-list 103 deny tcp any any eq www log

Which computers on the LAN can initiate POP traffic and to where: (one per host)

access-list 103 deny tcp any any eq pop2
access-list 103 permit tcp host LANhostip host mailproviderip eq pop3
access-list 103 permit tcp host LANhostip host mailproviderip eq pop3
access-list 103 permit tcp host LANhostip host mailproviderip eq pop3
access-list 103 deny tcp any any eq pop3


Which computers on the LAN can initiate smtp traffic and to where: (one per host)

access-list 103 permit tcp host LANhostip host mailproviderip eq smtp
access-list 103 permit tcp host LANhostip host mailproviderip eq smtp
access-list 103 permit tcp host LANhostip host mailproviderip eq smtp
access-list 103 deny tcp any any eq  smtp

Which computers on the LAN can initiate FTP traffic:

access-list 103 permit tcp host LANhostip host mailproviderip eq ftp
access-list 103 permit tcp host LANhostip host mailproviderip eq ftp
access-list 103 permit tcp host LANhostip host mailproviderip eq ftp
access-list 103 deny tcp any any eq  ftp


FTP data traffic initiated behind the LAN
access-list 103 permit tcp any eq ftp-data any

or maybe:
access-list 103 permit tcp any eq ftp-data host LANIP

and then let all other traffic pass

access-list 103 permit ip any any

Thats all for now. Thanks again in advance for any suggestions or comments.