Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
450
Views
0
Helpful
4
Replies

Securing Router with ACL ?????

afzaalq007
Level 1
Level 1

‎06-02-2007 02:12 AM - edited ‎03-03-2019 05:16 PM

Hi Dear Frinds.

Most probabaly Our Apnic membership will be over next week. So our BGP AS number will bi disabled. for time duration we renew or membership.

So i want to ask we are using preifix list for our gatway router to secure it on internet.

Now we have only one option for the time being that we will use Static routes with our UP Stream. and secure our router with ACL.

How can i do that plz paste ad template of confug example. and any helping DOc.

Thanks and Regards

Afzaal Qadir

Labels:
0 Helpful
4 Replies 4

mohammedmahmoud
Level 11
Level 11

‎06-02-2007 02:28 AM

Hi Afzaal,

As far as i can understand, you mean that you are using prefix-list to filter BGP routes.

To use static routing rather than BGP, just on your router using default route to your provider and then using static routes on your provider side to return back the traffic to the LAN ips your provider supplied to you is what you need to do routing, prefix-list is of no use here.

Using ACL on the internet interface is always used to secure your network whether you are using your IPs or your provider IPs, ACL are packet filtering mechanisms used to filter unwanted packets.

HTH, please do rate all helpful replies,

Mohammed Mahmoud.

0 Helpful

afzaalq007
Level 1
Level 1
In response to mohammedmahmoud

‎06-02-2007 06:19 AM

Hi

Thanks for the Ans and suggestions.

I will implement this ACL My BGP and AS number will be invalid for us. and when we use Static routes to our Upstram service provider.

10 deny ip 127.0.0.0 0.255.255.255 any

20 deny ip 10.0.0.0 0.255.255.255 any

30 deny ip 172.16.0.0 0.15.255.255 any

40 deny ip 192.168.0.0 0.0.255.255 any

50 deny ip 169.223.0.0 0.0.255.255 any

60 deny ip 211.255.0.0 0.0.31.255 any

70 permit ip any any

kindly Suggest If u think there shoul bi any improvment is requird . I wll welcome it and apprictae. it

Thanks in advance for suggestion.

Afzaal Qadir.

0 Helpful

mohammedmahmoud
Level 11
Level 11
In response to afzaalq007

‎06-02-2007 06:25 AM

Hi Afzaal,

Perfect, and you might want to deny some suspicious ports according to your needs (always make sure that you are not denying ports that your applications or user need, and always make sure that the permit any any is there in the end of your ACL):

example:

access-list x deny tcp any any eq 4444

access-list x deny udp any any eq 1433

access-list x deny udp any any eq 1434

access-list x deny tcp any any eq 1433

access-list x deny tcp any any eq 1434

access-list x deny tcp any any eq 135

access-list x deny udp any any eq 135

access-list x deny udp any any eq netbios-ns

access-list x deny udp any any eq netbios-dgm

access-list x deny tcp any any eq 139

access-list x deny udp any any eq netbios-ss

access-list x deny tcp any any eq 445

access-list x deny udp any any eq 445

HTH, please do rate all helpful replies,

Mohammed Mahmoud.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card