Firewalls: Cisco access list examples wanted

Firewalls
(May 1994)

Indexed By Thread: [Previous] [Next]

Subject:	Cisco access list examples wanted
From:	Kimmo . Suominen @ lut . fi (Kimmo Suominen)
Organization:	Lappeenranta University of Technology, Finland
Date:	Sun, 8 May 1994 00:06:16 GMT
To:	firewalls @ greatcircle . com

Hi!

The number of cracking attempts at LUT has gone up this spring,
and we are finally tired enough of them to install a firewall at
our Cisco routers.

We (I?) have already thought of which services to let through
and which will be only allowed to a gateway host and which ones
will be totally blocked.  Now I would like to see examples on
how you have implemented the needed access lists on your Cisco.

What might be problematic here is that we cannot just block
traffic on our Internet connection, because we share the router
with another organization (or perhaps we can, if they want to be
behind a firewall as well - but even then we need a firewall
between the two organizations).  There's also a limited traffic
Internet connection coming to our second cisco some time in the
future.

Here's a picture:

          LUT/IEM LUT/LNET           PTT/Internet
               |   |                      |
             +-+---+-+                +---+---+
  Internet --+       |   LUT Campus   |       |
             | Cisco +-------+--------+ Cisco +-- LUT/IT:CS-Lab
       SCP --+       |       |        |       |
             +-+---+-+    +--+--+     +---+---+
               |   |      | HUB |         |
           LUT/AD LUT/PC  +++++++    LUT/IT:DC-Lab
                           |||||
                             ||+- LUT/CC
                             |+-- cc.lut.fi
                             +--- lut.fi (service gateway)

Obviously we want everything flowing between the LUT nets, but
we want a firewall against Internet, SCP and PTT.  We must not
block the Internet traffic of SCP, but we must block PTT from
non-LUT networks.  I'm not sure if SCP will be allowed to use
the PTT/Internet connection, but I guess that is a routing
problem more than a firewall problem.

For this to work, I would figure we need to install access lists
on three interfaces:

	1) Internet
	2) SCP
	3) PTT/Internet

Is this correctly assumed and also possible with a Cisco?  We
have quite a recent version of the OS running on the Ciscos (we
use OSPF routing and needed to upgrade for that).  I believe
there were some problems in this approach with the earlier
versions.

So if anyone has done something similar with Ciscos, I'd really
like to see examples on the access lists.  I've only worked with
Wellfleet routers before, and our Cisco manuals aren't actually
up-to-date with the OS version.

If there is interest, I could summarize once this is done.  I
would not be showing the examples you send me, but rather the
configuration we will come up with.

Any suggestions, comments and notes - even flames - are greatly
appreciated.

Cheers
+ Kim
--
 ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
( Kimmo Suominen ! Internet: Kimmo .
 Suominen @
 lut .
 fi                  )
( "That's what   ! Bitnet: KIM @
 FINFILES  //  Funet: LUOTI::KIM      )
(       I think" ! Lappeenranta University of Technology ** Finland )
 '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

Indexed By Date	Previous:	Re: Screend ports (other than ULTRIX and BSD/386)? From: Brent Chapman <brent @ mycroft . GreatCircle . COM>
Indexed By Date	Next:	IMAP and a firewall From: torq @ aleph1 . co . uk (Andy Mell)
Indexed By Thread	Previous:	Re: MTA's used on firewalls From: Marcus J Ranum <mjr @ tis . com>
Indexed By Thread	Next:	IMAP and a firewall From: torq @ aleph1 . co . uk (Andy Mell)