Security Basics mailing list archives
RE: router access control list
From: "Erick Jensen" <ejensen () vibrant com>
Date: Mon, 23 Oct 2006 23:24:01 -0500
I'm not going to write out the lines here, that would be much too long, but I'll give you a start. Teach yourself the ACLs, it's worth it if you have to work with the routers! http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/1219ea1/scg/swacl.htm (that link is from the 2950 guide, but the syntax is the same in all cisco IOS) You need to research the "extended ACL", that will give you control of the ports or services. The standard ACL only give you control over the destinations/sources. I would recommend you identify the IPs of the remote access computers and allow those IPs and ports only. Don't just open up the ports to the world. Yes, this will be a lengthy process, but it is necessary. When you finish all that, remember to back it up! In the future you can edit it in notepad and load the txt file on the router instead of line after line(copy+paste=win!). Next you need to learn NAT, or more specifically PAT. http://www.cisco.com/warp/public/556/nat-cisco.shtml That will translate your addresses to 'hide' the internal addresses. It was designed for conservation of addresses, not security - keep that in mind. Use PAT, it will be much less of a head ache to troubleshoot, 1 address for the whole network behind it, much easier. This sounds like something you should know, if your new job depends on it. There are so many resources out there, wiki, cisco.com, message boards, etc. Let us know if you have troubles, good luck! Erick -----Original Message----- From: listbounce () securityfocus com on behalf of apaez1084 () gmail com Sent: Mon 10/23/2006 11:44 AM To: security-basics () securityfocus com Subject: router access control list Hi, Im a rookie. And i worked on access-list 2 years ago once nad never have again. Now i need to do it for my new job. cisco 800 series. (827) I need to block alot of traffic. specially using remote access. I need to block all ports execpt 3390, 3389, and another one that i cant remember. thouse are remote access open ports for different computers. Also block all other ports that except the common ones. (ftp, email, internet, etc...) Now in ip addresses: the router has change the ip address for the people out side dont know the real address. i need to block everyone else. how can i do this in an access list. some examples or something will help greatlly. thanks --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus --------------------------------------------------------------------------- --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- router access control list apaez1084 (Oct 23)
- RE: router access control list Shain Singh (Oct 24)
- RE: router access control list Erick Jensen (Oct 24)
- RE: router access control list Murda Mcloud (Oct 24)
- Re: router access control list Ivan . (Oct 24)
- <Possible follow-ups>
- Re: router access control list apaez1084 (Oct 25)
- RE: router access control list David Gillett (Oct 27)
- Re: Re: router access control list apaez1084 (Oct 27)
- Re: Re: router access control list Alexey Eremenko (Oct 27)