The most basic config is:
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip any
(these block bogus packets, you should always have these for Internet facing
routers)
access-list 101 permit udp host eq 53 any gt 1023
access-list 101 permit udp host eq 53 any gt 1023
access-list 101 permit tcp any eq www any established
and then:
interface serial 0 (or whatever is your Internet facing interface)
ip access-group 101 in
You'll need to permit additional things if you want your users to be able to
ping and traceroute. There's also certain ICMP packets that you should
probably allow in as well. You might also want to consider using the
Firewall Feature Set (FFS) to get stateful inspection capability on the
router.
I would recommend looking at the security docs on the Cisco site or getting
a good book on access-lists. I happen to think that "Cisco Access Lists
Field Guide" is pretty good, but then I'm biased since I'm co-author. :-)
HTH,
Kent
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Thomas
Sent: Thursday, August 02, 2001 11:08 PM
To: [EMAIL PROTECTED]
Subject: Access-list [7:14755]
Hi All,
On my internet router, I would like to deny everything but allow HTTP
traffic to get to the outside world and return to the host inside the LAN.
I really have difficulty with the access list. Could you please help me
out. BTW, I am running PAT (port address translation) on this router.
Thanks All in advance!
Thomas
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=15038&t=14755
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
