Hi All ,

Can someone give me à good secure ACL , this my rules but I want a better rules ;)


-{ Quote: "ip nat translation timeout 3600
ip nat translation tcp-timeout 3600
ip nat translation udp-timeout 1200
ip nat translation finrst-timeout 300
ip nat translation syn-timeout 120
ip nat translation dns-timeout 300
ip nat translation icmp-timeout 120
ip nat translation max-entries 4096
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 10.0.0.1 9999 interface Dialer1 9999
ip nat inside source static udp 10.0.0.1 10000 interface Dialer1 10000
ip nat inside source static tcp 10.0.0.1 10002 interface Dialer1 10002
ip nat inside source static tcp 10.0.0.1 10003 interface Dialer1 10003
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
!
access-list 102 remark flux sortant
access-list 102 permit ip 10.0.0.0 0.255.255.255 any
access-list 102 deny udp any any eq netbios-ns
access-list 102 deny udp any any eq netbios-dgm
access-list 102 deny udp any any eq netbios-ss
access-list 102 deny tcp any any eq 135
access-list 102 deny udp any any eq 135
access-list 102 deny tcp any any eq 139
access-list 102 deny ip any any
access-list 111 remark Flux Entrant
access-list 111 deny ip 10.0.0.0 0.255.255.255 any
access-list 111 deny ip 127.0.0.0 0.255.255.255 any
access-list 111 deny ip host 0.0.0.0 any
access-list 111 deny ip any host 255.255.255.255
access-list 111 deny ip host 255.255.255.255 any
access-list 111 permit tcp any any eq 10003
access-list 111 permit tcp any any eq 10002
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 9999
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any unreachable
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any source-quench
access-list 111 permit icmp any any ttl-exceeded
access-list 111 deny icmp any any
access-list 111 permit udp any eq isakmp any eq isakmp
access-list 111 permit gre any any
access-list 111 deny ip any any
dialer-list 1 protocol ip permit
" }-

Thx :)

You may be better off posting this on a Cisco forum or comp.sys.dcom.cisco. This guide (http://www.mavetju.org/networking/security.php) may be of help also.

I would certainly recommend that you block source routed packets (no ip source-route) The source routing option allows an attacker to specify a route for their packets which allows them to receive a response even with a spoofed sender IP address - this does have a legitimate use for network diagnostics but on the Internet it is almost exclusively used with ill-intent.

However, no detailed advice can be given without knowing the specifics of your network requirements (e.g. you are allowing GRE - do you need it?). As a general comment, I would suggest taking the approach of blocking all traffic except for certain protocols you deem "safe". This configuration seems to take the opposite approach in only blocking a couple of ports used commonly by worms - this does not therefore deal with current (and future) exploits using other ports.

okit thx bro but this site doesn't work comp.sys.dcom.cisco :(

For the details , I juste have one pc ,
LAN IP : 10.0.0.1
SUb MAsk :255.0.0.0
Gateway :10.0.0.138
Router IP : 10.0.0.138

I find this acl with google what do you think plz ??
http://www.rpatrick.com/tech/acl/

:o

And did you know a good cisco forum ??

++

Hi kamui

You might want to take a look a the following, the faq has some good info and additional links.

DSLR Cisco Forum (http://www.dslreports.com/forum/equip,cis)
DSLR Cisco FAQ (http://www.dslreports.com/faq/cisco)

Regards,

CrazyM

Merci beaucoup Crazy M ;)
++

http://www.dslreports.com/forum/remark,10269760~mode=flat#10301093


plz help nobody answered me in the other forum :'(

Hi kamui

In the other post you mention anti spoofing rules. Does your router have an anti spoofing feature? Some do, and you could use that or acl's, but not both.

Another link you might want to look at:

Improving Security on Cisco Routers (http://www.cisco.com/warp/public/707/21.html)

You refer to a list found from your google search above, did you happen to see the link there to a more complete explanation and example:

Secure IOS Template Version 3.5 28 APR 2004 (http://www.cymru.com/Documents/secure-ios-template.html)

It has other useful links and also refers to a utility for auditing configs:

NCAT (Network Config Audit Tool) and RAT (Router Audit Tool)
http://ncat.sourceforge.net/

... which you can find here:
CIS Level-1 / Level-2 Benchmark and Audit Tool for Cisco IOS Routers (http://www.cisecurity.org/bench_cisco.html)

Lots of reading, but if you want to go beyond the default config with your Cisco it is something you will have to do to ensure your configuration is correct and secure.

Regards,

CrazyM

oki thx bro , yes a lot of reading as you said , i need to improve my english , i'm french lol

;D

-{ Quote: "this site doesn't work comp.sys.dcom.cisco" }-It's not a website, it's a Usenet group. Use a Usenet reader to access it (Outlook Express isn't too bad for Usenet, despite its flaws as an email client) or Google Groups (groups.google.com) (comp.dcom.sys.cisco (http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&group=comp.dcom.sys.cisco)). If you decide to post there, then be sure that you follow the rules of Usenet Netiquette (http://www.my-newsgroups.com/SiteMap/netiquette.htm).

thx ;)