Screening Router Cisco Access List

By unwire, January 5, 2006

This is a post from my old website that still gets many hits. I’m moving all those old items here to this blog. Here it is:

Here is my Cisco access list which is configured to prevent outside access:
—————————–
Screening Router Access List:
—————————–

Note: All real ip addresses have been changed to the reserved 169.254.92.0 network.

! Beginning of access-list 101

!
! Deny rfc 1918 addresses:
!
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any log

!
! Deny packets with localhost, broadcast and multicast addresses:
!
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny   ip 255.0.0.0 0.255.255.255 any log
access-list 101 deny   ip 224.0.0.0 7.255.255.255 any log

!
! Deny packets without ip address.
!
access-list 101 deny   ip host 0.0.0.0 any log
!
! Prevent spoofing. Deny incoming packets that have
! our internal address:
!

access-list 101 deny   ip 169.254.92.0 0.0.0.255 any log
!
! More spoofing prevention. Insert ip address of external
! router interface ip address:
!
access-list 101 deny   ip host 169.254.8.78 any log
!

! If you run any listeners, NFS or Xwindows add those
! ports here.
!
! access-list 101 deny tcp any any eq 2000 log
! access-list 101 deny tcp any any eq 2001 log
! access-list 101 deny tcp any any eq 6000 log
! access-list 101 deny tcp any any eq 6001 log
!
! Allow only ACKed tcp packets to our network:

!
access-list 101 permit tcp any 169.254.92.0 0.0.0.255 gt 1023 established
!
! Allow only specific ICMP:
! http://www.isi.edu/in-notes/iana/assignments/icmp-parameters
! http://www.worldgate.com/~marcs/mtu/
!
access-list 101 permit icmp any 169.254.92.0 0.0.0.255 3 0  ! net-unreachable

access-list 101 permit icmp any 169.254.92.0 0.0.0.255 3 1  ! host-unreachable
access-list 101 permit icmp any 169.254.92.0 0.0.0.255 3 3  ! port-unreachable
access-list 101 permit icmp any 169.254.92.0 0.0.0.255 3 4  ! packet-too-big
access-list 101 permit icmp any 169.254.92.0 0.0.0.255 3 13 ! administratively-prohibited
access-list 101 permit icmp any 169.254.92.0 0.0.0.255 4    ! source-quench

access-list 101 permit icmp any 169.254.92.0 0.0.0.255 11 0 ! ttl-exceeded
!
! Allow smtp traffic to mail servers only:
!
access-list 101 permit tcp any host 172.29.92.15 eq smtp
access-list 101 permit tcp any host 172.29.92.108 eq smtp
!
! Allow incoming dns traffic to name servers only:
! Note: Probably best to limit tcp domain traffic to specific servers.

!
access-list 101 permit tcp any host 169.254.92.15 eq domain log
access-list 101 permit tcp any host 169.254.92.13 eq domain log
access-list 101 permit udp any host 169.254.92.15 eq domain
access-list 101 permit udp any host 169.254.92.13 eq domain
!
! Allow ntp to time server:
! See: http://www.eecis.udel.edu/~ntp/

!
access-list 101 permit udp any eq 123 host 169.254.92.38 eq 123
!
! Allow incoming news traffic to nntp server only:
!
access-list 101 permit tcp any host 169.254.92.103 eq nntp
!
! For ftp clients:
! Not very secure. The alternative is to remove this and

! force clients into passive mode.
!
access-list 101 permit tcp any eq 20 169.254.92.0 0.0.0.255 gt 1023
!
! We deny ident. We're not sure if it's secure. Entry is here
! to keep log files from filling up:
!
access-list 101 deny   tcp any any eq 113

!
! Log everything that does not meet the above rules.
!
access-list 101 deny   ip any any log
!
! End of access-list 101

! Add this to external interface of screening router:

!
no ip directed-broadcast
no ip proxy-arp
no ip unreachables     ! Don't send icmp for denied items in
access-list.
ntp disable
!
! Apply access list to external interface:
!

ip access-group 101 in
!
! Use this command if you want to see denied hosts while
! logged into the router. Use command:
! "show ip accounting access-violations"
!
! ip accounting access-violations

—————-

Outbound filter:
—————-

! Beginning of access-list 102
!
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any log

access-list 102 deny   ip 10.0.0.0 0.255.255.255 any log
access-list 102 deny   ip any 192.168.0.0 0.0.255.255 log
access-list 102 deny   ip any 172.16.0.0 0.15.255.255 log
access-list 102 deny   ip any 10.0.0.0 0.255.255.255 log
!

! Don't allow internal hosts to send icmp.
!
access-list 102 deny   icmp any any log
!
! Only allow packets from our network.
!
access-list 102 permit ip 169.254.92.0 0.0.0.255 any
!

! Log everything else:
!
access-list 102 deny   ip any any log
!
! End of access-list 102
!
! Apply access list 102 to outbound external interface
! or inbound on internal interface.

———————————-
Additional items to add to config:
———————————-

!
! Miscellaneous:
!
service password-encryption
service linenumber

no cdp run
no service finger
no service udp-small-servers
no service tcp-small-servers
no ip source-route
no ip bootp server
no ip http server
no ntp master
no ip domain-lookup    ! If you don't have a name server.

no logging console     ! Save cpu cycles.
logging buffered
!
! Cisco NTP information:
! http://www.cisco.com/univercd/cc/td/doc/product/software/ios11/sbook/ssysmgmt.htm
! http://www.cisco.com/warp/customer/105/30.html
!

service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
clock timezone PST -8            !
My timezone.
clock summer-time zone recurring
ntp source
e0                  
! My inside interface.
ntp update-calendar
ntp server 196.254.92.38         ! My Linux time
server.

!
! VERY VERY IMPORTANT! Log everything to syslog!
!
logging 196.254.92.83
!
! Performance-related:
!
! IOS 11+
!

ip tcp path-mtu-discovery
!
! IOS 11.3+
!
ip tcp selective-ack

—–
SNMP:
—–

! Secure snmp with a community name other than public or private.
! Add access-list security.
!
snmp-server community secret RO 21
snmp-server trap-authentication
!
! Log router events to snmp trap host:
!

snmp-server enable traps config
snmp-server enable traps frame-relay
snmp-server host 169.254.92.83 secret
!
access-list 21 permit 169.254.92.83

———————————
Secure vty (Telnet) and aux port:
———————————

line aux 0
access-class 2 in
transport input all
line vty 0 4
access-class 1 in
password 7 xxxxxxxxxxxxx
login

!

! Add access-lists:
!
! Allow only specific hosts to telnet into router:
!
access-list 1 permit 169.254.92.39
!
! Block access to aux.
!
access-list 2 deny 0.0.0.0 255.255.255.255

————————————
Mail report of router log to myself:
————————————

Add UNIX cron job:
cat /var/log/messages |grep [routername]|sort +14 -15 |mail -s "Router Access
List Log" me@mydoman.com

———-
Reference:
———-

Cisco Security Overview:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/secur_c/scoverv.htm

3 Comments

  1. Dr. Ghassan says:

    Please notify how can I see the ICMP messages on my PC?
    I think that the wildmask of multicast address is 15.255.255.255 instead of 7.255.255.255.

  2. Macleon Kalunga says:

    I would like to thank you for the information on acl[s],i have leant some of the thing i didn’t know.But iwould like if you can do me a favour on e-mailing me on standard configarations on acl

  3. dom says:

    kool, Thanks