External Port Access Lists

Lets go in-depth into the Access Control Lists that filter our traffic at the perimeter and establish
some best practices and guidelines.
Well start with the external Access Control List (ACL). You should generally use the Extended
ACL, because it controls the flow of packets based not only on IP address but type of protocol
and port. All the ACLs we cover will be done using the Extended IP type. The first line in your
external ACL should be:
No access-list 100 This clears out any previous versions of ACLs.
From this point we start building our ACL based on specifically denying certain network ranges
and services and allowing specifically the services and ports that our network needs to operate.
Access-list 100 deny ip your.ip.range any log ! Spoofing Prevention
Access-list 100 deny ip 10.0.0.0 0.255.255.255 any log ! Block Reserved Networks
Access-list 100 deny ip 172.16.0.0 0.15.255.255 any log ! Block Reserved Networks
Access-list 100 deny ip 192.168.0.0 0.0.255.255 any log ! Block Reserved Networks
Access-list 100 deny ip 127.0.0.0 0.255.255.255 any log ! Block Loopback/Reserved
Access-list 100 deny ip 224.0.0.0 0.0.255.255 any log ! Block Multicast (if not used)
Access-list 100 deny ip host 0.0.0.0 any log ! Block Broadcast Address
Access-list 100 deny icmp any any redirect log ! Block ICMP Redirects
Access-list 100 permit icmp any any echo-reply ! Permits ICMP replies
Access-list 100 permit icmp any any unreachable ! Permits ICMP unreachables
Access-list 100 permit icmp any any ttl-exceeded ! Permits ICMP time outs
Access-list 100 permit tcp any host 10.0.0.2 eq 80 ! Permits HTTP to your Web Server
Access-list 100 permit tcp any host 10.0.0.2 eq 443 ! Permits SSL to your Web Server
Access-list 100 permit tcp any host 10.0.0.3 eq 25 ! Permits TCP to your Mail Server
Access-list 100 permit udp host ip.of.name.server eq domain any ! Permits DNS queries
Access-list 100 permit tcp host ip.of.name.server eq domain any ! Permits DNS queries
Note: DNS servers always send information from port 53, regardless if it is going to
another DNS server or to a client. The reason we allow tcp on port 53 is because, UDP DNS rule
says to send the packet via tcp if the udp packet is too large for the buffer. If you dont allow tcp
port 53, you might find that zone transfers dont occur and some things just dont resolve.
Access-list 100 permit tcp any eq 20 any gt 1023 ! Permits Active FTP
Note: This allows Active FTP, which is not as secure as Passive FTP. If you want to
force all of your clients to use passive ftp (which is much more secure). Remove this entry.
Access-list 100 permit ip any any est ! Permits established traffic into your network
Note: This allows established traffic, or traffic that originates from your network to return
to the host that initiated the traffic.

Access-list 100 deny icmp any any log ! Denies all unwanted icmp and logs the traffic
Access-list 100 deny ip any any log ! Denies all unwanted ip and logs the traffic
Finally we block everything we dont allow and log that traffic
Weve defined our external ACL. You should print this and add it to your handbook along with
the soft copy saved on a diskette. Next well go define the inside interfaces ACLs and further
segment our inbound traffic.