Cisco Security setup how to

CISCO ACCESS-LIST SAMPLES AND HOW TO's

Here is a typical access-list for a network ip address I was responsible for 203.92.83.0

*********************Here it starts *********************

! Deny anything that is fake IP's and broadcasts and such access-list 101 deny ip 192.168.0.0 0.0.255.255 any log access-list 101 deny ip 172.16.0.0 0.15.255.255 any log access-list 101 deny ip 10.0.0.0 0.255.255.255 any log access-list 101 deny ip 127.0.0.0 0.255.255.255 any log access-list 101 deny ip 255.0.0.0 0.255.255.255 any log access-list 101 deny ip 224.0.0.0 7.255.255.255 any log access-list 101 deny ip host 0.0.0.0 any log

! Deny somebody faking my ip address called "spoofing" also access-list 101 deny ip 203.92.83.0 0.0.0.255 any log

! Deny somebody faking to be my router access-list 101 deny ip host 203.125.158.254 any log

! Deny all sensitive ports SMB NMB NFS X-windows VNC access-list 101 deny tcp any any range 135 139 log access-list 101 deny udp any any range 135 139 log access-list 101 deny tcp any any eq 2000 log access-list 101 deny tcp any any eq 2001 log access-list 101 deny tcp any any eq 6000 log access-list 101 deny tcp any any eq 6001 log access-list 101 deny tcp any any range 5900 5910 log access-list 101 deny tcp any any range 5800 5810 log

! Deny telnet/finger access to router or to anyone access-list 101 deny tcp any any eq telnet log access-list 101 deny tcp any any eq finger log

! Allow only tcp packets to our network that are not SYN : ! sort of like iptables -A INPUT -J DROP !--syn access-list 101 permit tcp any 203.92.83.0 0.0.0.255 gt 1023 established

! ICMP specific ones allow what should be allowed read !http://www.iana.org/assignments/icmp-parametersand decide access-list 101 permit icmp any 203.92.83.0 0.0.0.255 3 0 ! net-unreachable access-list 101 permit icmp any 203.92.83.0 0.0.0.255 3 1 ! host-unreachable access-list 101 permit icmp any 203.92.83.0 0.0.0.255 3 3 ! port-unreachable access-list 101 permit icmp any 203.92.83.0 0.0.0.255 3 4 ! packet-too-big access-list 101 permit icmp any 203.92.83.0 0.0.0.255 3 13 ! administratively-prohibited access-list 101 permit icmp any 203.92.83.0 0.0.0.255 4 ! source-quench access-list 101 permit icmp any 203.92.83.0 0.0.0.255 11 0 ! ttl-exceeded ! ! Allow smtp traffic to http, smtp, pop3 to my hosted servers 8 of them only: ! access-list 101 permit tcp any 203.92.83.200 0.0.0.7 eq smtp access-list 101 permit tcp any 203.92.83.200 0.0.0.7 eq http access-list 101 permit tcp any 203.92.83.200 0.0.0.7 eq pop3 ! Allow incoming dns traffic to name servers only: ! Note: Probably best to limit tcp domain traffic to specific servers. ! access-list 101 permit tcp any host 203.92.83.199 eq domain log access-list 101 permit tcp any host 203.92.83.159 eq domain log access-list 101 permit udp any host 203.92.83.199 eq domain access-list 101 permit udp any host 203.92.83.159 eq domain ! Should we allow FTP active transfer you decide access-list 101 permit tcp any eq 20 203.92.83.0 0.0.0.255 gt 1023 ! ! Deny ident but be nice to let the other guy now that you are rejecting him access-list 101 deny tcp any any eq 113 ! ! Deny everything else access-list 101 deny ip any any log ! ! End of access-list 101 for external interface if you havent ! Add this to external interface of screening router config-if-atm0 for e.g.,: ! no ip directed-broadcast no ip proxy-arp no ip unreachables ! Don't send icmp for denied items in access-list. ntp disable ! ! Apply access list to external interface: ! ip access-group 101 in ! ! Use this command if you want to see denied hosts while ! logged into the router. Use command: ! "show ip accounting access-violations" ! ! ip accounting access-violations

! ! Make sure the telco techniciand didnt mess up any settings for password encryption etc. ! service password-encryption service linenumber no cdp run no service finger no service udp-small-servers no service tcp-small-servers no ip source-route no ip bootp server no ip http server no ntp master no ip domain-lookup no logging console logging buffered ! Cisco NTP stuff service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone clock timezone SGT +8 ! My timezone.

ntp source eth0 ntp update-calendar ntp server 203.92.83.68 logging 203.92.83.68

! Make SNMP read only from our internal server linux box snmp-server community secret RO 21 snmp-server trap-authentication snmp-server enable traps config snmp-server enable traps frame-relay snmp-server host 203.92.83.68 secret ! SNMP control to my box access-list 21 permit 203.92.83.68