Common examples for CISCO access control list and port forwarding

So far, we've implemented most useful functions for home use on the router.
This article briefly introduces how to configure access control and port mapping.

Network Security Configuration

In fact, as mentioned before, enterprise class routers will do nothing under default config for security reason, so all common ports are closed to the outside by default. This is enough for most cases.
If you want to further refine the configuration, here are some examples of security policies:

Access Control List (ACL)

Reject incoming data from internal IP

access-list 100 deny ip 0.0.0.0 0.255.255.255 any
access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip 169.254.0.0 0.0.255.255 any
access-list 100 deny ip 172.16.0.0 0.15.255.255 any
access-list 100 deny ip 192.0.2.0 0.0.0.255 any
access-list 100 deny ip 192.168.0.0 0.0.0.255 any
access-list 100 deny ip 224.0.0.0 15.255.255.255 any
access-list 100 deny ip 240.0.0.0 15.255.255.255 any

Disable Microsoft File Sharing Service

access-list 100 deny tcp any any range 137 139
access-list 100 deny tcp any range 137 139 any

Deny NetBios Request

access-list 100 deny udp any any range netbios-ns netbios-ss
access-list 100 deny udp any range netbios-ns netbios-ss any

#Prohibit SMB protocol

access-list 100 deny tcp any any eq 445
access-list 100 deny tcp any eq 445 any
access-list 100 deny udp any any eq 445
access-list 100 deny udp any eq 445 any

#Prohibit telnet connection

access-list 100 deny tcp any any eq telnet

Allow all other traffic

access-list 100 permit ip any any

The ACL is for incoming traffic from WAN, so apply it to the Dialer.

interface Dialer1
    ip access-group 100 in
exit

Recursive ACL

Using access lists to manually control access traffic is intuitive, but it is inevitable that there are omissions. If you do not need to establish a server that can be accessed outside, you may use recursive ACLs.
Whether the client browses a webpage or communicates with an external server through some software, the client first sends a request and then receives the response from the server.
The recursive ACL uses this feature:

  • Router will record outgoing packets
  • When receiving a data packet, determine whether it is a reply to the sent data packet, and if not, drop it.
ip access-list extended IN_LSIT
evaluate ICMP
deny icmp any any
permit ip any any

ip access-list extended OUT_LIST
permit icmp any any reflect ICMP
permit ip any any

interface Vlan1
ip access-group IN_LIST in
ip access-group OUT_LIST out

Recursive ACL eliminats all access starts from outside world.

Port Forward

Driven by my interest, I decided to run a server in my home and build my own blog site.
(now I'm a fun of /r/homelab)

In order to make this website available to public, I also need to perform port mapping on the router and open ports 80 (http) and 443 (https).

Assuming the server's internal network IP address is 192.168.1.200:

ip nat inside source static tcp 192.168.1.200 80 interface Dialer1 80
ip nat inside source static tcp 192.168.1.200 443 interface Dialer1 443

Also don't forget to modify the access list to allow external access to the server:

access-list 100 permit tcp any host Dialer1 eq 80
access-list 100 permit tcp any host Dialer1 eq 443
Ads