CISCO ACCESS-LIST SAMPLES AND HOW TO's

Here is a typical access-list for a network ip address I was responsible for 203.92.83.0

*********************Here it starts *********************

! Deny anything that is fake IP's and broadcasts and such
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny   ip 255.0.0.0 0.255.255.255 any log
access-list 101 deny   ip 224.0.0.0 7.255.255.255 any log
access-list 101 deny   ip host 0.0.0.0 any log

! Deny somebody faking my ip address called "spoofing" also
access-list 101 deny   ip 203.92.83.0 0.0.0.255 any log

! Deny somebody faking to be my router
access-list 101 deny   ip host 203.125.158.254 any log

! Deny all sensitive ports SMB NMB NFS X-windows VNC
access-list 101 deny tcp any any range 135 139 log
access-list 101 deny udp any any range 135 139 log
access-list 101 deny tcp any any eq 2000 log
access-list 101 deny tcp any any eq 2001 log
access-list 101 deny tcp any any eq 6000 log
access-list 101 deny tcp any any eq 6001 log
access-list 101 deny tcp any any range 5900 5910 log
access-list 101 deny tcp any any range 5800 5810 log

! Deny telnet/finger access to router or to anyone
access-list 101 deny tcp any any eq telnet log
access-list 101 deny tcp any any eq finger log

 

! Allow only tcp packets to our network that are not SYN :
! sort of like iptables -A INPUT -J DROP !--syn
access-list 101 permit tcp any 203.92.83.0 0.0.0.255 gt 1023 established

! ICMP specific ones allow what should be allowed read
!
http://www.iana.org/assignments/icmp-parameters and decide
access-list 101 permit icmp any 203.92.83.0 0.0.0.255 3 0  ! net-unreachable
access-list 101 permit icmp any 203.92.83.0 0.0.0.255 3 1  ! host-unreachable
access-list 101 permit icmp any 203.92.83.0 0.0.0.255 3 3  ! port-unreachable
access-list 101 permit icmp any 203.92.83.0 0.0.0.255 3 4  ! packet-too-big
access-list 101 permit icmp any 203.92.83.0 0.0.0.255 3 13 ! administratively-prohibited
access-list 101 permit icmp any 203.92.83.0 0.0.0.255 4    ! source-quench
access-list 101 permit icmp any 203.92.83.0 0.0.0.255 11 0 ! ttl-exceeded
!
! Allow smtp traffic to http, smtp, pop3 to my hosted servers 8 of them only:
!
access-list 101 permit tcp any 203.92.83.200 0.0.0.7 eq smtp
access-list 101 permit tcp any 203.92.83.200 0.0.0.7 eq http
access-list 101 permit tcp any 203.92.83.200 0.0.0.7 eq pop3

! Allow incoming dns traffic to name servers only:
! Note: Probably best to limit tcp domain traffic to specific servers.
!
access-list 101 permit tcp any host 203.92.83.199 eq domain log
access-list 101 permit tcp any host 203.92.83.159 eq domain log
access-list 101 permit udp any host 203.92.83.199 eq domain
access-list 101 permit udp any host 203.92.83.159 eq domain

! Should we allow FTP active transfer you decide
access-list 101 permit tcp any eq 20 203.92.83.0 0.0.0.255 gt 1023
!
! Deny ident but be nice to let the other guy now that you are rejecting him
access-list 101 deny   tcp any any eq 113
!
! Deny everything else
access-list 101 deny   ip any any log
!
! End of access-list 101 for external interface if you havent


! Add this to external interface of screening router config-if-atm0 for e.g.,:
!
no ip directed-broadcast
no ip proxy-arp
no ip unreachables     ! Don't send icmp for denied items in access-list.
ntp disable
!
! Apply access list to external interface:
!
ip access-group 101 in
!
! Use this command if you want to see denied hosts while
! logged into the router. Use command:
! "show ip accounting access-violations"
!
! ip accounting access-violations

 

!
! Make sure the telco techniciand didnt mess up any settings for password encryption etc.
!
service password-encryption
service linenumber
no cdp run
no service finger
no service udp-small-servers
no service tcp-small-servers
no ip source-route
no ip bootp server
no ip http server
no ntp master
no ip domain-lookup
no logging console
logging buffered
! Cisco NTP stuff
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
clock timezone SGT +8            ! My timezone.

ntp source eth0                   
ntp update-calendar
ntp server 203.92.83.68       
logging 203.92.83.68

! Make SNMP read only from our internal server linux box
snmp-server community secret RO 21
snmp-server trap-authentication
snmp-server enable traps config
snmp-server enable traps frame-relay
snmp-server host 203.92.83.68 secret
! SNMP control to my box
access-list 21 permit 203.92.83.68


SFX Logo SFX Logo