Thursday, March 21, 2013

Best Practice Access List Branch Office Router (Firewall)


At Branch office you will not always use ASA for security and VPN connectivity with Central office, best way is to use router that you already have at Branch office using Access control list.

 



This approach is best for this scenario, you can change, add or modify for your needs.



First group of lines from access-list 101 blocks all packets from outside that have source ip address of inside network (ip spoofing).

access-list 101 deny ip any host 200.200.100.0  0.0.0.15 any  log
access-list 101 dany ip any host 200.200.100.15 log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log


Second define filter for ICMP messages.

access-list 101 permit icmp any host 200.200.100.1 echo
access-list 101 permit icmp any host 200.200.1.1 echo
access-list 101 permit icmp any 200.200.100.0 0.0.0.15 echo-reply
access-list 101 permit icmp any 200.200.100.0 0.0.0.15 ttl-exceeded
access-list 101 permit icmp any 200.200.100.0 0.0.0.15 traceroute
access-list 101 permit icmp any 200.200.100.0 0.0.0.15 source-quench
access-list 101 permit icmp any 200.200.100.0 0.0.0.15 parameter-problem
access-list 101 permit icmp any 200.200.100.0 0.0.0.15 unreachable
access-list 101 permit icmp any 200.200.100.0 0.0.0.15 port-unreachable
access-list 101 deny   icmp any 200.200.100.0 0.0.0.15


Third group of lines define usage of protocol ports.

access-list 101 permit tcp any eq www 200.200.100.0 0.0.0.15 gt 1023 established
access-list 101 permit udp any eq domain 200.200.100.0 0.0.0.15
access-list 101 permit tcp any eq ftp 200.200.100.0 0.0.0.15 gt 1023 established
access-list 101 permit tcp any eq ftp-data 200.200.100.0 0.0.0.15 gt 1023
access-list 101 permit tcp any gt 1023 host 200.200.100.5 eq smtp
access-list 101 permit tcp any eq smtp 200.200.100.0 0.0.0.15 gt 1023 established
access-list 101 permit tcp any gt 1023 host 200.200.100.5 eq pop3
access-list 101 permit tcp any eq pop3 200.200.100.0 0.0.0.15 gt 1023 established
access-list 101 permit tcp any eq telnet 200.200.100.0 0.0.0.15 gt 1023 established
access-list 101 permit tcp any eq 443 200.200.100.0 0.0.0.15 gt 1023 established
access-list 101 permit tcp any eq 200.200.100.0 0.0.0.15 gt 1023 established
access-list 101 permit udp any eq time 200.200.100.0 0.0.0.15  gt 1023
access-list 101 permit udp any eq ntp 200.200.100.0 0.0.0.15 eq ntp
access-list 101 permit udp any eq 1525 200.200.100.0 0.0.0.15 gt 1023
access-list 101 permit udp any gt 32768 200.200.100.0 0.0.0.15 gt 32768
access-list 101 permit tcp any eq nntp 200.200.100.0 0.0.0.15 gt 1023 established
access-list 101 permit tcp any gt 1023 200.200.100.0 0.0.0.15 gt 1023 established

Fourth group is related to outgoing packets.

access-list 102 deny ip any 10.0.0.0 0.255.255.255 log
access-list 102 deny ip any 172.16.0.0 0.15.255.255 log
access-list 102 deny ip any 192.168.0.0 0.0.255.255 log
access-list 102 permit icmp host 200.200.100.1 any echo-reply
access-list 102 permit icmp host 200.200.1.1 any echo-reply
access-list 102 permit icmp 200.200.100.0 0.0.0.15 any echo
access-list 102 permit icmp 200.200.100.0 0.0.0.15 any ttl-exceeded
access-list 102 permit icmp 200.200.100.0 0.0.0.15 any traceroute
access-list 102 permit icmp 200.200.100.0 0.0.0.15 any source-quench
access-list 102 permit icmp 200.200.100.0 0.0.0.15 any parameter-problem
access-list 102 permit icmp 200.200.100.0 0.0.0.15 any unreachable
access-list 102 permit icmp 200.200.100.0 0.0.0.15 any port-unreachable
access-list 102 deny icmp 200.200.100.0 0.0.0.15 any
access-list 102 permit tcp 200.200.100.0 0.0.0.15 gt 1023 any eq www
access-list 102 permit udp 200.200.100.0 0.0.0.15 any eq domain
access-list 102 permit tcp 200.200.100.0 0.0.0.15 gt 1023 any eq ftp
access-list 102 permit tcp 200.200.100.0 0.0.0.15 gt 1023 any eq ftp-data established
access-list 102 permit tcp host 200.200.100.5 eq smtp any gt 1023 established
access-list 102 permit tcp 200.200.100.0 0.0.0.15 gt 1023 any eq smtp
access-list 102 permit tcp host 200.200.100.5 eq pop3 any gt 1023 established
access-list 102 permit tcp 200.200.100.0 0.0.0.15 gt 1023 any eq pop3
access-list 102 permit tcp 200.200.100.0 0.0.0.15 gt 1023 any eq telnet
access-list 102 permit tcp 200.200.100.0 0.0.0.15 gt 1023 any eq 443
access-list 102 permit tcp 200.200.100.0 0.0.0.15 gt 1023 any eq 210
access-list 102 permit udp 200.200.100.0 0.0.0.15 gt 1023 any eq time
access-list 102 permit tcp 200.200.100.0 0.0.0.15 gt 1023 any eq 37
access-list 102 permit udp 200.200.100.0 0.0.0.15 gt 1023 any eq ntp
access-list 102 permit udp 200.200.100.0 0.0.0.15 eq ntp any eq ntp
access-list 102 permit udp 200.200.100.0 0.0.0.15 gt 1023 any eq 1525
access-list 102 permit udp 200.200.100.0 0.0.0.15 gt 32768 any gt 32768
access-list 102 permit tcp 200.200.100.0 0.0.0.15 gt 1023 any eq nntp
access-list 102 permit tcp 200.200.100.0 0.0.0.15 gt 1023 any gt 1023

I want to mention that I used book, Mastering Cisco Routers by Chris Brenton and Bob Abuhoff, as a reference guide for configuring access lists.
Please comment if there is mistake ;)
 




Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)