RE: Cisco ACL Question

["Mann, Bobby" <bmann () forzani com>]

Someone is just using packet filtering on the router.  It looks like someone
is trying to allow reverse traffic back to the orginator.
This is not good.

It would be better if you were to deploy CBAC or reflexive access-lists.
This way reverse traffic is automatically entered into the ACL.   

The outgoing traffic from your office to the Internet should be restricted
to what you need.  Example:

ip access-list ext ACL_INSIDE
permit tcp 10.0.0.0 0.255.255.255 gt 1023 any eq 80
permit tcp 10.0.0.0 0.255.255.255 gt 1023 any eq 443
permit udp 10.0.0.0 0.255.255.255 gt 1023 any eq 53


Incoming traffic to your mail server and web server if you have one should
look something like. (Not complete)

ip access-list ext ACL_OUTSIDE
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 128.0.0.0 0.0.255.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log 
deny ip 224.0.0.0 15.255.255.255 any log
deny ip 240.0.0.0 15.255.255.255 any log
deny ip 0.0.0.0 0.255.255.255 any log
deny icmp any any redirect log
deny ip (your Public IP address space) any log
permit tcp any gt 1023 host 2.2.2.2 eq 80
permit tcp any gt 1023 host 3.3.3.3 eq 25
permit udp any gt 1023 host 4.4.4.4 eq 53

If you don't have a license for the firewall feature set then use reflexive
access-lists.  But I recommend buying the firewall feature set and a support
contract to download all the updates.  Depending what your needs are a Cisco
1710 is a cool little box.  If you don't need routing you can get the PIX
500 series if performance is not an issue.

Goto the following links and read them over.  

CBAC

http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Software:Cisco_IO
S_Firewall&s=Implementation_and_Configuration

Reflexive

http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuratio
n_guide_chapter09186a00800d9817.html



Bob.

 
-----Original Message-----
From: noconflic
To: security-basics () securityfocus com
Sent: 6/10/03 4:48 PM
Subject: Cisco ACL Question

Hello, 

   I have a question about the following inbound Cisco ACL entry...

      access-list 100 permit udp any X.X.X.0 0.0.0.255 gt 1023

 From what i understand so far is that this entry is required for normal

outbound ftp,tftp,dns, and traceroute traffic. It has been suggested
that 
one should specificly add deny rules for common UDP ports above that
range. 
My question, I am looking for suggestions to make that more restrictive
? 
What problems would there be with other hosts on the LAN if the entry
was 
removed ?

Thanks, 

-CH 

------------------------------------------------------------------------
---
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top
analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access
in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
------------------------------------------------------------------------
----

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------