Build an extended access list (ip access-group 1xx in) at the WAN port
of your external router. You may refer to http://www.cisco.com or
perform a search on "access-list" in your Cisco-CD documentation.
If you use an extended access-list (Access group number above 100)
you'll have more control over the packets that get across your network.
With these, you can almost build a firewall right in your router, so you
can get pretty good security with them.
Regards? J
Ricardo Alvarado B.
DCN Network Provisioning
v273.5767 DID 528.153.5767
SkyTel: 528.319.0779 PIN 525.4333
>----------
>From: Steven E. Matkoski[SMTP:matkoski @
dreamscape .
com]
>Sent: Wednesday, January 08, 1997 7:40 AM
>To: Firewalls @
GreatCircle .
COM
>Subject: Re: internal filtering router - filter config?
>
>Firewalls-Digest wrote:
>>
>> In your external router you'd block any ICMP traffic going back and
>> forth, as well as any packets bearing one of your internal IP addresses,
>> as a source address, especially if these are going INTO your protected
>> network. Also, kill telnets, fingers, snmp and snmp trap. Actually, kill
>> any ports that your users will not be using, andl leave just mail, web,
>> ftp, etc.
>>
>> ricardo
>> ralvarado @
avantel .
com .
mx
>>
>Thanks, I also read that you could block source-routed packets there,
>also.
>If I am using a cisco router, how does on go about this? or can I get a
>location for documentation.
>
>Thanks!
>-steve.
>matkoski @
dreamscape .
com
>
|
|
