Difference between revisions of "Cisco - IOS Samples"
Jump to navigation
Jump to search
PeterHarding (talk | contribs) |
PeterHarding (talk | contribs) |
||
Line 4: | Line 4: | ||
* http://filtering.illinois.net/ACLsamples.html | * http://filtering.illinois.net/ACLsamples.html | ||
= Sample Port Mnemonics = | |||
<pre> | |||
access-list 100 permit tcp any any eq telnet | |||
access-list 100 permit udp any any eq domain | |||
access-list 100 permit tcp any any eq domain | |||
access-list 100 permit udp any any eq 22 | |||
access-list 100 permit tcp any any eq 22 | |||
access-list 100 permit udp any any eq ntp | |||
access-list 100 deny tcp any any eq 139 log | |||
access-list 100 permit tcp any any eq 123 | |||
access-list 100 permit tcp any any eq nntp | |||
access-list 100 permit tcp any any eq finger | |||
access-list 100 permit udp any any eq 119 | |||
access-list 100 permit tcp any any eq talk | |||
access-list 100 permit tcp any any eq pop3 | |||
access-list 100 permit udp any any eq 110 | |||
access-list 100 permit udp any any eq talk | |||
access-list 100 permit tcp any any eq 8080 | |||
access-list 100 permit udp any any eq 8080 | |||
access-list 100 permit tcp any any eq www | |||
access-list 100 permit tcp any any gt 1023 | |||
access-list 100 permit udp any any gt 1023 | |||
*** access-list 100 deny tcp any any eq smtp | |||
access-list 100 permit tcp any any eq irc | |||
access-list 100 permit tcp any any eq login | |||
access-list 100 permit tcp any any eq ident | |||
access-list 100 permit tcp any any eq 114 | |||
access-list 100 permit tcp any any eq 518 | |||
access-list 100 permit udp any any eq 518 | |||
access-list 100 permit tcp any any eq ftp | |||
access-list 100 permit tcp any any eq ftp-data | |||
access-list 100 permit udp any any eq syslog | |||
access-list 100 permit icmp any any | |||
</pre> | |||
= Sample ACL Setup = | = Sample ACL Setup = |
Latest revision as of 18:30, 2 January 2008
Some Links to Examples
- http://netinfo.unet.brandeis.edu/details/router-shaping-acls
- http://filtering.illinois.net/ACLsamples.html
Sample Port Mnemonics
access-list 100 permit tcp any any eq telnet access-list 100 permit udp any any eq domain access-list 100 permit tcp any any eq domain access-list 100 permit udp any any eq 22 access-list 100 permit tcp any any eq 22 access-list 100 permit udp any any eq ntp access-list 100 deny tcp any any eq 139 log access-list 100 permit tcp any any eq 123 access-list 100 permit tcp any any eq nntp access-list 100 permit tcp any any eq finger access-list 100 permit udp any any eq 119 access-list 100 permit tcp any any eq talk access-list 100 permit tcp any any eq pop3 access-list 100 permit udp any any eq 110 access-list 100 permit udp any any eq talk access-list 100 permit tcp any any eq 8080 access-list 100 permit udp any any eq 8080 access-list 100 permit tcp any any eq www access-list 100 permit tcp any any gt 1023 access-list 100 permit udp any any gt 1023 *** access-list 100 deny tcp any any eq smtp access-list 100 permit tcp any any eq irc access-list 100 permit tcp any any eq login access-list 100 permit tcp any any eq ident access-list 100 permit tcp any any eq 114 access-list 100 permit tcp any any eq 518 access-list 100 permit udp any any eq 518 access-list 100 permit tcp any any eq ftp access-list 100 permit tcp any any eq ftp-data access-list 100 permit udp any any eq syslog access-list 100 permit icmp any any
Sample ACL Setup
ip access-list extended internet-inbound permit tcp any any established permit ospf host abc.xyz.90.49 any permit 41 any any permit pim any any deny ip 127.0.0.0 0.255.255.255 any log deny ip 10.0.0.0 0.255.255.255 any log deny ip 172.16.0.0 0.15.255.255 any log deny ip 192.168.0.0 0.0.255.255 any log deny ip abc.xyz.250.0 0.0.0.255 any log permit ip any 224.0.0.0 15.255.255.255 permit ip host abc.xyz.60.21 any permit ip host abc.xyz.82.25 any permit ip host abc.xyz.82.30 any permit tcp any host abc.xyz.250.5 eq nntp permit tcp any host abc.xyz.250.5 eq 120 permit tcp any host abc.xyz.250.6 eq nntp permit tcp any host abc.xyz.250.6 eq 120 permit tcp any host abc.xyz.250.5 eq www permit tcp any host abc.xyz.250.6 eq www permit udp any host abc.xyz.250.5 eq domain permit udp any host abc.xyz.250.6 eq domain permit tcp any host abc.xyz.250.5 eq smtp permit tcp any host abc.xyz.250.6 eq smtp permit tcp any host abc.xyz.250.5 eq pop3 permit tcp any host abc.xyz.250.6 eq pop3 permit tcp any abc.xyz.250.0 0.0.0.255 eq ident permit udp any abc.xyz.250.0 0.0.0.255 eq 113 permit tcp any host abc.xyz.253.51 eq 22 permit tcp any abc.xyz.250.0 0.0.0.255 eq 22 permit udp any abc.xyz.250.0 0.0.0.255 eq 22 permit tcp any host abc.xyz.250.5 eq ftp permit tcp any host abc.xyz.250.5 eq ftp-data permit tcp any host abc.xyz.250.6 eq ftp permit tcp any host abc.xyz.250.6 eq ftp-data permit tcp abc.xyz.60.0 0.0.1.255 any eq 6000 permit tcp abc.xyz.156.0 0.0.0.255 any eq 6000 permit udp abc.xyz.0.0 0.0.255.255 any eq bootps permit tcp abc.xyz.60.0 0.0.1.255 any range 135 139 permit udp abc.xyz.60.0 0.0.1.255 any range 135 netbios-ss permit tcp abc.xyz.60.0 0.0.1.255 any eq 445 permit udp abc.xyz.60.0 0.0.1.255 any eq 445 permit tcp abc.xyz.156.0 0.0.0.255 any range 135 139 permit udp abc.xyz.156.0 0.0.0.255 any range 135 netbios-ss permit tcp abc.xyz.156.0 0.0.0.255 any eq 445 permit udp abc.xyz.156.0 0.0.0.255 any eq 445 permit udp any abc.xyz.250.0 0.0.0.255 eq 4755 permit udp any any eq ntp permit udp any any eq tftp permit icmp any abc.xyz.250.0 0.0.0.255 administratively-prohibited permit icmp any abc.xyz.250.0 0.0.0.255 echo permit icmp any abc.xyz.250.0 0.0.0.255 echo-reply permit icmp any abc.xyz.250.0 0.0.0.255 packet-too-big permit icmp any abc.xyz.250.0 0.0.0.255 time-exceeded permit icmp any abc.xyz.250.0 0.0.0.255 traceroute permit icmp any abc.xyz.250.0 0.0.0.255 unreachable permit ip host abc.xyz.90.49 host abc.xyz.90.50 permit ip host abc.xyz.90.49 host abc.xyz.250.1 permit ip host abc.xyz.90.49 host abc.xyz.253.51 permit ip abc.xyz.60.0 0.0.1.255 host abc.xyz.253.51 permit ip abc.xyz.60.0 0.0.1.255 host abc.xyz.250.1 permit ip abc.xyz.60.0 0.0.1.255 host abc.xyz.90.50 permit ip abc.xyz.156.0 0.0.1.255 host abc.xyz.253.51 permit ip abc.xyz.156.0 0.0.1.255 host abc.xyz.250.1 permit ip abc.xyz.156.0 0.0.1.255 host abc.xyz.90.50 permit ip abc.xyz.250.0 0.0.0.255 host abc.xyz.253.51 permit ip abc.xyz.250.0 0.0.0.255 host abc.xyz.250.1 permit ip abc.xyz.250.0 0.0.0.255 host abc.xyz.90.50 evaluate internet-iptraffic deny ip any any log ip access-list extended internet-outbound permit ip abc.xyz.250.0 0.0.0.255 any reflect internet-iptraffic
PacNOG Workshop Router
Current configuration : 9415 bytes ! ! Last configuration change at 13:13:25 Fiji Sat Jun 25 2005 by philip ! NVRAM config last updated at 13:13:26 Fiji Sat Jun 25 2005 by philip ! version 12.3 service nagle no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone year service timestamps log datetime msec localtime show-timezone year service password-encryption service internal ! hostname gw ! boot-start-marker boot-end-marker ! logging buffered 8192 debugging no logging console enable secret 5 xxxx ! username philip secret 5 xxxx clock timezone Fiji 12 no network-clock-participate slot 1 no network-clock-participate wic 0 aaa new-model ! ! aaa authentication login default local enable aaa authentication enable default enable aaa session-id common ip subnet-zero no ip source-route ip icmp rate-limit unreachable 2000 ip icmp rate-limit unreachable DF 2000 ! ! ip tcp path-mtu-discovery ! ! ip cef no ip bootp server ip domain name pacnog.school.fj ip name-server 202.62.124.238 ip name-server 202.62.120.4 ip ips po max-events 100 ip scp server enable ipv6 unicast-routing ipv6 general-prefix pacnog 6to4 Serial0/0 ipv6 cef no ftp-server write-enable ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface Tunnel2002 no ip address no ip redirects ipv6 address pacnog ::1/64 ipv6 traffic-filter ipv6-in in ipv6 traffic-filter ipv6-out out tunnel source Serial0/0 tunnel mode ipv6ip 6to4 ! interface FastEthernet0/0 description PacNOG core LAN ip address 192.168.1.254 255.255.255.0 secondary ip address 202.62.122.30 255.255.255.224 no ip redirects no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow load-interval 30 duplex auto speed auto ipv6 address pacnog ::1:0:0:0:1/64 no cdp enable ! interface Serial0/0 description ADSL link to Connect.com.fj ip address 202.62.125.62 255.255.255.252 ip access-group 100 in ip access-group 101 out no ip redirects no ip proxy-arp ip nat outside ip virtual-reassembly ip route-cache flow load-interval 30 loopback fair-queue ! interface FastEthernet0/1 no ip address duplex auto speed auto ! interface FastEthernet0/1.1 encapsulation dot1Q 1 native ! interface FastEthernet0/1.11 encapsulation dot1Q 11 ip address 192.168.250.1 255.255.255.252 ! interface FastEthernet0/1.12 encapsulation dot1Q 12 ip address 192.168.251.1 255.255.255.252 ! interface FastEthernet0/1.13 encapsulation dot1Q 13 ip address 192.168.250.5 255.255.255.252 ! interface FastEthernet0/1.14 encapsulation dot1Q 14 ip address 192.168.251.5 255.255.255.252 ! interface FastEthernet0/1.15 encapsulation dot1Q 15 ip address 192.168.250.9 255.255.255.252 ! interface FastEthernet0/1.16 encapsulation dot1Q 16 ip address 192.168.251.9 255.255.255.252 ! interface FastEthernet0/1.17 encapsulation dot1Q 17 ip address 192.168.250.13 255.255.255.252 ! interface FastEthernet0/1.18 encapsulation dot1Q 18 ip address 192.168.251.13 255.255.255.252 ! interface FastEthernet0/1.19 encapsulation dot1Q 19 ip address 192.168.250.17 255.255.255.252 ! interface FastEthernet0/1.20 encapsulation dot1Q 20 ip address 192.168.251.17 255.255.255.252 ! interface FastEthernet0/1.21 encapsulation dot1Q 21 ip address 192.168.250.21 255.255.255.252 ! interface FastEthernet0/1.22 encapsulation dot1Q 22 ip address 192.168.251.21 255.255.255.252 ! interface FastEthernet0/1.23 encapsulation dot1Q 23 ip address 192.168.250.25 255.255.255.252 ! interface FastEthernet0/1.24 encapsulation dot1Q 24 ip address 192.168.251.25 255.255.255.252 ! interface Serial0/1 no ip address shutdown ! router bgp 100 no synchronization bgp log-neighbor-changes bgp deterministic-med network 192.168.250.0 mask 255.255.254.0 network 202.62.122.0 mask 255.255.255.224 neighbor ebgp-peers peer-group neighbor ebgp-peers description eBGP peers neighbor ebgp-peers password 7 02050D480809 neighbor ebgp-peers default-originate neighbor 192.168.250.2 remote-as 1 neighbor 192.168.250.2 peer-group ebgp-peers neighbor 192.168.250.6 remote-as 3 neighbor 192.168.250.6 peer-group ebgp-peers neighbor 192.168.250.10 remote-as 5 neighbor 192.168.250.10 peer-group ebgp-peers neighbor 192.168.250.14 remote-as 7 neighbor 192.168.250.14 peer-group ebgp-peers neighbor 192.168.250.18 remote-as 9 neighbor 192.168.250.18 peer-group ebgp-peers neighbor 192.168.250.22 remote-as 11 neighbor 192.168.250.22 peer-group ebgp-peers neighbor 192.168.250.26 remote-as 13 neighbor 192.168.250.26 peer-group ebgp-peers neighbor 192.168.251.2 remote-as 2 neighbor 192.168.251.2 peer-group ebgp-peers neighbor 192.168.251.6 remote-as 4 neighbor 192.168.251.6 peer-group ebgp-peers neighbor 192.168.251.10 remote-as 6 neighbor 192.168.251.10 peer-group ebgp-peers neighbor 192.168.251.14 remote-as 8 neighbor 192.168.251.14 peer-group ebgp-peers neighbor 192.168.251.18 remote-as 10 neighbor 192.168.251.18 peer-group ebgp-peers neighbor 192.168.251.22 remote-as 12 neighbor 192.168.251.22 peer-group ebgp-peers neighbor 192.168.251.26 remote-as 14 neighbor 192.168.251.26 peer-group ebgp-peers distance bgp 200 200 200 no auto-summary ! ip classless ip route 0.0.0.0 0.0.0.0 Serial0/0 permanent ip route 10.0.0.0 255.0.0.0 Null0 ip route 127.0.0.0 255.0.0.0 Null0 ip route 169.254.0.0 255.255.0.0 Null0 ip route 172.16.0.0 255.240.0.0 Null0 ip route 192.0.2.0 255.255.255.0 Null0 ip route 192.168.0.0 255.255.0.0 Null0 ip route 192.168.250.0 255.255.254.0 Null0 254 ip route 202.62.122.0 255.255.255.224 Null0 254 ! ! no ip http server no ip http secure-server ip nat inside source list 10 interface Serial0/0 overload ! logging trap debugging access-list 1 permit 202.62.122.0 0.0.0.31 access-list 1 deny any access-list 10 permit 192.168.1.0 0.0.0.255 access-list 100 deny ip 10.0.0.0 0.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 deny ip 169.254.0.0 0.0.255.255 any access-list 100 deny ip 172.16.0.0 0.15.255.255 any access-list 100 deny ip 192.168.0.0 0.0.255.255 any access-list 100 deny ip 202.62.122.0 0.0.0.31 any access-list 100 deny tcp any any eq 81 access-list 100 deny udp any any eq netbios-ns access-list 100 deny tcp any any eq 135 access-list 100 deny tcp any any eq 139 access-list 100 deny tcp any any eq 445 access-list 100 deny tcp any any eq 1025 access-list 100 deny tcp any any eq 1337 access-list 100 deny udp any any eq 1434 access-list 100 deny tcp any any eq 2745 access-list 100 deny tcp any any eq 3001 access-list 100 deny tcp any any eq 3127 access-list 100 deny tcp any any eq 3128 access-list 100 deny tcp any any eq 4662 access-list 100 deny tcp any any eq 5000 access-list 100 deny tcp any any eq 6129 access-list 100 permit icmp any any access-list 100 deny udp any any eq 2049 access-list 100 permit tcp any any established access-list 100 permit udp any any gt 1023 access-list 100 permit ipinip any any access-list 100 permit 41 any any access-list 100 permit gre any any access-list 100 permit esp any any access-list 100 permit udp any eq isakmp any eq isakmp access-list 100 permit tcp any any eq 22 access-list 100 permit tcp any any eq ident access-list 100 permit udp any any eq ntp access-list 100 permit tcp any any eq domain access-list 100 permit udp any any eq domain access-list 100 permit tcp any eq ftp-data any access-list 100 permit tcp any eq ftp any access-list 100 deny ip any any log access-list 101 deny tcp any any eq 135 access-list 101 deny udp any any eq netbios-ns access-list 101 deny tcp any any eq 139 access-list 101 deny tcp any any eq 445 access-list 101 deny tcp any any eq 1025 access-list 101 deny tcp any any eq 1337 access-list 101 deny udp any any eq 1434 access-list 101 deny tcp any any eq 2745 access-list 101 deny tcp any any eq 3001 access-list 101 deny tcp any any eq 3127 access-list 101 deny tcp any any eq 3128 access-list 101 deny tcp any any eq 4662 access-list 101 deny tcp any any eq 5000 access-list 101 deny tcp any any eq 6129 access-list 101 permit ip 202.62.125.60 0.0.0.3 any access-list 101 permit ip 202.62.122.0 0.0.0.31 any access-list 101 deny ip any any log ipv6 route 2002::/16 Tunnel2002 ipv6 route ::/0 2002:806B:F0FE::1 ! ! ! ipv6 access-list ipv6-in deny tcp any any eq 135 deny tcp any any eq 445 permit icmp any any permit tcp any any established permit tcp any any eq 22 permit tcp any any eq www permit tcp any any eq smtp permit tcp any any eq pop3 permit tcp any any eq 143 permit tcp any any eq 5901 permit tcp any any eq domain permit udp any any eq domain permit udp any any eq ntp permit udp any any eq 5 permit udp any eq isakmp any eq isakmp deny udp any any eq 2049 permit udp any any gt 1023 deny ipv6 any any log ! ipv6 access-list ipv6-out deny udp any any eq netbios-ns deny udp any any eq netbios-dgm permit ipv6 any any ! ipv6 access-list vty permit ipv6 2002:CA3E:7D3E:1::/64 any deny ipv6 any any log ! control-plane ! ! ! ! ! ! ! ! banner login ^C PacNOG Workshop Router - Unauthorised access prohibited!^C ! line con 0 transport preferred none transport output ssh line aux 0 line vty 0 4 access-class 1 in ipv6 access-class vty in transport preferred none transport input ssh transport output telnet ssh ! ntp clock-period 17208515 ntp server 202.62.124.238 ! end gw#