dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
556
share rss forum feed


WhiteDragon

@comcastbusiness.net

[Config] Second pair of eyes

Could I get a second pair of eyes to look over the following? I want to lock down my network so that only a few services can get in/out by setting access-lists on both incoming and outgoing traffic. Thanks!

object network ftpserver
host
object network webserver
host
object network pi
host
object network printer
host
object network exchange
host
object network dc
host

access-list OUTBOUND permit tcp any any eq 80
access-list OUTBOUND permit tcp any any eq 443
access-list OUTBOUND permit tcp object webserver eq 80 any
access-list OUTBOUND permit tcp object webserver eq 443 any
access-list OUTBOUND permit tcp object ftpserver eq 20 any
access-list OUTBOUND permit tcp object ftpserver eq 21 any
access-list OUTBOUND permit tcp object ftpserver eq 22 any
access-list OUTBOUND permit tcp object pi eq 22 any
access-list OUTBOUND permit udp object dc eq 53 any
access-list OUTBOUND permit tcp object exchange eq 443 any
access-list OUTBOUND permit tcp object exchange eq 110 any
access-list OUTBOUND permit tcp object exchange eq 25 any
access-list OUTBOUND permit tcp object printer eq 80 any
access-list OUTBOUND permit tcp object printer eq 443 any

access-list INBOUND permit tcp any eq 80 any
access-list INBOUND permit tcp any eq 443 any
access-list INBOUND permit tcp any object webserver eq 80
access-list INBOUND permit tcp any object webserver eq 443
access-list INBOUND permit tcp any object ftpserver eq 20
access-list INBOUND permit tcp any object ftpserver eq 21
access-list INBOUND permit tcp any object ftpserver eq 22
access-list INBOUND permit tcp any object pi eq 22
access-list INBOUND permit udp any object dc eq 53
access-list INBOUND permit tcp any object exchange eq 443
access-list INBOUND permit tcp any object exchange eq 110
access-list INBOUND permit tcp any object exchange eq 25
access-list INBOUND permit tcp any object printer eq 80
access-list INBOUND permit tcp any object printer eq 443

access-group INBOUND in interface outside
access-group OUTBOUND out interface outside

ip audit attack action drop


HELLFIRE
Premium
join:2009-11-25
kudos:18

First, make / model of device this is from?

Second, what exactly are you trying to accomplish here?

From an initial look, you may want to add a "deny any any log" at the end of both your
OUTBOUND and INBOUND ACLs for two reasons, a) for debugging / troubleshooting and
b) from a security perspective. Otherwise conceptually, you're on the right track for
a default deny ruleset.

My 00000010bits

Regards