ACL orientation: very restrictive "firewall"-style list.
This ACL is assumed to be bound to the outside WAN/Inet interface and affects packets coming into the site. All access to/from site is restricted. Only certain services are allowed, and these go to either open networks or bastion hosts Note: you also need a list for outbound packets. This may be bound as the incoming ACL for the inside interface. Minimally it should prevent ip spoofing, and permit access to/from known bastion hosts or subnets permitted to talk to the Internet. Assumption for this acl: Class B site address with /24 subnets inside. WARNING: again, this is only meant as an example and should be examined in light of local conditions, new exploits, and local policy.
---------------------------------------------------------- ! some paranoid NOs. these are here to squash certain types ! of spoofing behavior fast ! ! deny external spoofing access-list 122 deny ip <my class B> 0.0.255.255 any ! ! deny spoofing from "reserved" addresses access-list 122 deny ip 10.0.0.0 0.255.255.255 any access-list 122 deny ip 127.0.0.0 0.255.255.255 any access-list 122 deny ip 172.16.0.0 0.15.255.255 any access-list 122 deny ip 192.168.0.0 0.0.255.255 any access-list 122 deny ip host 0.0.0.0 any access-list 122 deny ip host 255.255.255.255 any ! just say no to ICMP denial of service attacks ! assumption here is that we are class B/24. ! access-list 122 deny icmp any 0.0.0.255 255.255.255.0 access-list 122 deny icmp any 0.0.0.0 255.255.255.0 ! just say no to all unauthorized tunnels access-list 122 deny ipinip any any access-list 122 deny gre any any ! deny external access to my router (check NTP below though) ! e.g., if router is NTP peer/server you would want to enable ! that before this line ! alternative: you might just block external telnet access on the vty line access-list 122 deny ip <my site> <mask> host <router address> access-list 122 deny ip <my site> <mask> host <router address> access-list 122 deny ip <my site> <mask> host <router address> ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! PERMIT a few SERVICES, then DENY ALL !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! permit access to a certain subnet access-list 122 permit ip any <restricted subnet> 0.0.0.255 ! ! permit access to a certain bastion host ! you may want to be more restrictive of course ! BUT remember to think through problems 2-ways (client port/server port) ! access-list 122 permit ip any host <host address> ! Wherever possible, limit traffic ! ! eg replace "any" with "host <host address>" ! replace "any" with "<subnet> <subnet mask>" ! ! permit ftp to ftp bastion host server !ftp tcp 20 & 21 access-list 122 permit tcp any host <ftp-bastion-host> eq 20 access-list 122 permit tcp any host <ftp-bastion-host> eq 21 ! !secure shell (ssh) tcp 22 access-list 122 permit tcp any host <ftp-bastion-host> eq 22 ! !telnet tcp 23 access-list 122 permit tcp any host <telnet-bastion-host> eq 23 ! !smtp 25 access-list 122 permit tcp any host <email-server> eq 25 ! !DNS 53/53 ! note: this takes care of DNS in. DNS as client ! out will require ports >= 1024 for that bastion host access-list 122 permit tcp any host <dns-server1> eq 53 access-list 122 permit udp any host <dns-server1> eq 53 ! ! tcp 80 http access-list 122 permit tcp any host <web-server> eq 80 ! ! network time protocol 123/123 ! consider if this is/is not your border router access-list 122 permit udp any <ntp-server> eq 123 ! ! may (but should not) allow access to all other unrestricted ! ports 1024 and over. Consider doing this on a per bastion host ! basis. Remember this prevents a remote server from talking to ! a local client. !access-list 122 permit tcp any any eq ge 1024 !access-list 122 permit udp any any eq ge 1024 ! access-list 122 permit udp any <ntp-server> eq 123 ! ! else deny (default anyway) access-list 122 deny ip any any