RE: router access control list

["Erick Jensen" <ejensen () vibrant com>]

I'm not going to write out the lines here, that would be much too long, but I'll give you a start.  Teach yourself the 
ACLs, it's worth it if you have to work with the routers!
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/1219ea1/scg/swacl.htm  (that link is from the 2950 guide, 
but the syntax is the same in all cisco IOS)

You need to research the "extended ACL", that will give you control of the ports or services.  The standard ACL only 
give you control over the destinations/sources.  I would recommend you identify the IPs of the remote access computers 
and allow those IPs and ports only.  Don't just open up the ports to the world.  Yes, this will be a lengthy process, 
but it is necessary.  When you finish all that, remember to back it up!  In the future you can edit it in notepad and 
load the txt file on the router instead of line after line(copy+paste=win!).  

Next you need to learn NAT, or more specifically PAT.
http://www.cisco.com/warp/public/556/nat-cisco.shtml
That will translate your addresses to 'hide' the internal addresses.  It was designed for conservation of addresses, 
not security - keep that in mind.  Use PAT, it will be much less of a head ache to troubleshoot, 1 address for the 
whole network behind it, much easier.

This sounds like something you should know, if your new job depends on it.  There are so many resources out there, 
wiki, cisco.com, message boards, etc.

Let us know if you have troubles, good luck!

Erick



-----Original Message-----
From: listbounce () securityfocus com on behalf of apaez1084 () gmail com
Sent: Mon 10/23/2006 11:44 AM
To: security-basics () securityfocus com
Subject: router access control list
 
Hi,
 Im a rookie. And i worked on access-list 2 years ago once nad never have again. Now i need to do it for my new job. 

cisco 800 series. (827)

I need to block alot of traffic. specially using remote access. I need to block all ports execpt 3390, 3389, and 
another one that i cant remember. thouse are remote access open ports for different computers. Also block all other 
ports that except the common ones. (ftp, email, internet, etc...)

Now in ip addresses: the router has change the ip address for the people out side dont know the real address. i need to 
block everyone else. 

how can i do this in an access list. some examples or something will help greatlly. 

thanks 

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------



---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------