What you want is not possible. It you want to host servers such as dns and
smtp you will need to have those ports open to the outside, which will show
up on any portscan, and therefore not be completely invisible...
Otherwise your scan looks pretty good. I would close up pop3, ldap, and
1002 though...
""Brandon Peyton"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hi,
>
> I'm sure this has probably been covered in the archives, and what I have
> searched isnt exactly what I need.
>
> I've got a 2611 (12.0) and I'm trying to configure my router to provide me
> with a secure network. 2 mailservers and 2 DNS machines and about 12
> workstations and 4 routers.
>
> What I'm trying to do is make my network completely invisible to the
outside
> world. When someone scans my IP range they will see nothing. However my
> inside traffic should have no problems accessing anything anywhere.
>
> I also want to block certain ports, for some reason my unix machines like
to
> advertise ldap 389 and i want to completely block that from being seen
> outside.
>
> Currently if you scan my network you'll see:
> |___ 22 ssh
> |___ 25 Antigen
> |___ 53 domain
> |___ 80 Executor
> |___ 110 pop3
> |___ 389 ldap
> |___ 1002
>
> I would like to close certain ports on the cisco for outgoing traffic, and
> make anyone portscanning me see nothing open.
>
> I've spend a huge amount of time on CCO but still havent found what I
want.
>
> Any suggestions?
>
> Thanks
> Brandon
>
>
>
> I currently have applied this config:
>
> ip subnet-zero
> no ip source-route
> no ip finger
> no ip source-route
> ip route 0.0.0.0 0.0.0.0 Null0 255
> access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
> access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
> access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
> access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
> access-list 101 deny ip 255.0.0.0 0.255.255.255 any log
> access-list 101 deny ip 224.0.0.0 7.255.255.255 any log
> access-list 101 permit icmp any any host-unreachable
> access-list 101 permit icmp any any packet-too-big
> access-list 101 permit icmp any any administratively-prohibited
> access-list 101 permit icmp any any source-quench
> access-list 101 permit icmp any any ttl-exceeded
> access-list 101 deny tcp any any eq ident
> access-list 101 deny ip any any log
> access-list 102 permit tcp any host (mailserver 1) eq smtp
> access-list 102 permit tcp any host (mailserver 2) eq smtp
> access-list 102 deny ip any any log
> access-list 103 deny ip 192.168.0.0 0.0.255.255 any log
> access-list 103 deny ip 172.16.0.0 0.15.255.255 any log
> access-list 103 deny ip 10.0.0.0 0.255.255.255 any log
> access-list 103 deny ip any 192.168.0.0 0.0.255.255 log
> access-list 103 deny ip any 172.16.0.0 0.15.255.255 log
> access-list 103 deny ip any 10.0.0.0 0.255.255.255 log
> access-list 103 permit ip any any
> access-list 104 deny tcp any any eq finger
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=17923&t=17864
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
