Access-lists and other stuff

Once we've got the basic router working and passing traffic, generally our next step is to setup some access lists to assist in enforcing policy.

Since the internet is a big place with alot of people out there we don't really know, a good first step is to restrict access to the router itself to our own internal neworks.

So to begin, we create a Basic Access List which will contain a list of networks which belong to us, and then allow only these networks to telnet to the router for management/snmp access. We'll use the example networks from our previous configuration examples; assume 10.3.2.0/24 is our main, Seattle office, and 10.5.1.0/24 is our Portland office

sample-gw# config term
Enter configuration commands, one per line.  End with CNTL/Z.
sample-gw(config)# access-list 16 permit 10.3.2.0 0.0.0.255
sample-gw(config)# access-list 16 permit 10.5.1.0 0.0.0.255
sample-gw(config)# snmp-server community public ro 16
sample-gw(config)# line vty 0 4
sample-gw(config-line)# access 16 in
sample-gw(config-line)# ^Z
sample-gw#

So we created the access-list, and we've setup SNMP read only access with the community 'public' and accessible only from our internal networks, and finally we've allowed telnet access only from our internal networks.

The next thing we'll want to do is create an access-list to apply to our T1 to the internet to keep unwanted traffic out. We'll assume that we're a typical internet connected office and we want to allow the following access:

SMTP access to our mail server (which is at 10.3.2.3)
POP access to our mail server so people can read their mail from home
DNS access to our DNS server (which is at 10.3.2.2)
HTTP access to our Web server (which is at 10.3.2.5)
HTTPS (secure web) access to our Web server
IDENT access so as not to slow down outbound connections
high UDP and TCP ports to allow streaming media (CUSeeMe,Real Audio,ICQ)

So we'll now create an extended access list:

sample-gw# config term
Enter configuration commands, one per line.  End with CNTL/Z.
sample-gw(config)# ! first prevent IP spoofing
sample-gw(config)# access-list 101 deny ip 10.3.2.0 0.0.0.255 any
sample-gw(config)# access-list 101 deny ip 10.5.1.0 0.0.0.255 any
sample-gw(config)# ! Permit established connections
sample-gw(config)# access-list 101 permit tcp any any est
sample-gw(config)# ! now allow email services (smtp and pop) to our mail server
sample-gw(config)# access-list 101 permit tcp any host 10.3.2.3 eq 25
sample-gw(config)# access-list 101 permit tcp any host 10.3.2.3 eq 110
sample-gw(config)# ! ok, now allow web access to our web server (http + https)
sample-gw(config)# access-list 101 permit tcp any host 10.3.2.5 eq 80
sample-gw(config)# access-list 101 permit tcp any host 10.3.2.5 eq 443
sample-gw(config)# ! and DNS access to our DNS server
sample-gw(config)# access-list 101 permit tcp any host 10.3.2.2 eq 53
sample-gw(config)# access-list 101 permit udp any any eq 53
sample-gw(config)# ! add the ident port (recommended) so as not slow stuff down
sample-gw(config)# access-list 101 permit tcp any any eq 113
sample-gw(config)# ! now permit high tcp and udp ports for streaming media
sample-gw(config)# access-list 101 permit tcp any any gt 1023
sample-gw(config)# access-list 101 permit udp any any gt 1023
sample-gw(config)# ^Z
sample-gw#

So now we have an access list, and we need to apply it to our inbound internet connection.

sample-gw# config term
Enter configuration commands, one per line.  End with CNTL/Z.
sample-gw(config)# int ser0.16 p
sample-gw(config-subif)# ip access 101 in
sample-gw(config-subif)# ^Z
sample-gw#

and now we'll want to make sure we can still browse the web, and that our web site and email still work (hopefully they do!). You'll want to substitute interface serial0.16 for whatever interface on your router connects to the internet.

Last Updated: Mon Oct 5 16:03:35 PDT 1998

This is part of Nik's website - email me with questions or comments at nikm@cyberflunk.com.