RE: Re: Re: router access control list

["Erick Jensen" <ejensen () vibrant com>]

Here we go..... (fighting the horrible flashbacks from my ccna classes)

> From the global config mode, enter these lines.
router#config t
router(config)#access-list 101 permit tcp any any eq www
router(config)#access-list 101 permit tcp any any eq 3390
router(config)#access-list 101 permit tcp any any eq 3389
router(config)#access-list 101 permit tcp any any eq ftp
router(config)#access-list 101 permit tcp any any eq ftp-data
router(config)#access-list 101 permit tcp any any eq pop3
router(config)#access-list 101 permit tcp any any eq smtp  (as you can see, you can use a port number or a word, hit 
the ? to see what words are usable)
router(config)#end
router#


We don't need a "deny" statement, because everything that does NOT match those lines will be dropped.  Instead of 101, 
you can use any number between 100-199 and 2000-2699, as long as you stick with that number.

There is also another line...
router(config)#access-list 101 permit tcp any any eq established
This is supposed to allow established http links to pass, it's probably worth throwing in the list.

When you have your list complete you need top apply it on the interface.  The following command will only allow those 
ports to come IN.
router(config)#interface atm0
router(config-if)#access-group 101 in
router(config-if)#end
router#

Here's your problem now, you must manually open up each port.  If someone needs to run AIM, that's blocked.  If 
somebody has a IMAP account to access, that's blocked.  If someone accesses a website that is not running on port 80, 
let's say 8080 (it happens), that's blocked.  And HTTPS as well!  This is why a firewall with stateful packet 
inspection is much more useful in these situations.

use the "show access-list" command to double check it when you are done.  Besure to back that up too!

-----Original Message-----
From: listbounce () securityfocus com on behalf of apaez1084 () gmail com
Sent: Wed 11/1/2006 10:19 AM
To: security-basics () securityfocus com
Subject: Re: Re: Re: router access control list
 
Ok now that i got and read and learned all this. I need one last push i think i can do this on my own. 

I need to allow Only port 3390, 3389 from comin in and also http, email and ftp. Im going to be placing it on the ATM0 
interface because from what i read is going to be where the packets are going to be coming in. 
what would be my access list command. 

Just one last push guys please. 

thank you

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------



---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------