Access-list

jassem_aldulaimi · ‎02-17-2008

Hi there,

I'm trying to protect my network using access-list, what's inside are a gatekeepers and billing system plus some other services, but by using the bellow access-list wont work if my last statements says, deny ip any any, what I'm doing wrong please? Please not this access-list been applied at the WAN interface as inbound. Obviously I get allow some extra traffics through, but not sure what protocols to allow without compromising the security.

access-list 100 deny udp any eq netbios-ns any

access-list 100 deny udp any eq netbios-dgm any

access-list 100 deny udp any eq netbios-ss any

access-list 100 deny tcp any eq 139 any

access-list 100 deny tcp any eq 1433 any

access-list 100 deny tcp any eq 1434 any

access-list 100 deny tcp any eq 135 any

access-list 100 deny tcp any eq 4444 any

access-list 100 permit tcp any eq 443 any

access-list 100 permit tcp any eq domain any

access-list 100 permit tcp any eq 1720 any

access-list 100 permit ip any any

bwilmoth · ‎02-22-2008

Create access lists for each protocol you wish to filter, per router interface. For some protocols, you create one access list to filter inbound traffic, and one access list to filter outbound traffic.

To create an access list, you specify the protocol to filter, you assign a unique name or number to the access list, and you define packet filtering criteria. A single access list can have multiple filtering criteria statements.

http://cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfacls.htm

jassem_aldulaimi · ‎03-02-2008

I've got this doc and do understand what's required, ie what to filter and where to apply them, but my question was, why when I apply my list with deny ip any any I do lose the connection to the internet? Any idea what's missing from the list? May be I need to draw a LAN/WAN map and explain to you what I'm trying to protect, please let me know if that's needed.