Applying security to outside interface


(Donald S) #1

Using the access list below to apply some security to my internet interface connected to my home network. I know the access list should have a permit statement at the end but in this case it seems out of place and should not be there. If Leave it out LAN traffic is blocked. Do I have to explicitly allow LAN Traffic?

10 deny tcp any host 10.0.0.2 eq echo
20 deny tcp any host 10.0.0.2 eq discard
30 deny tcp any host 10.0.0.2 eq daytime
40 deny tcp any host 10.0.0.2 eq chargen
50 deny tcp any host 10.0.0.2 eq telnet
60 deny tcp any host 10.0.0.2 eq finger
70 deny ip 127.0.0.0 0.255.255.255 any
80 deny ip 192.168.0.0 0.0.0.255 any
90 deny ip 172.16.0.0 0.0.255.255 any
100 deny ip host 0.0.0.0 any
110 deny ip 224.0.0.0 31.255.255.255 any
120 deny icmp any any redirect
130 deny udp any any eq snmp
140 permit ip any any (254 matches)

(Rene Molenaar) #2

Hi Donald,

Your “permit ip any any” will permit everything that is not denied in earlier statements. Are these two statements not causing trouble for you?

80 deny ip 192.168.0.0 0.0.0.255 any
90 deny ip 172.16.0.0 0.0.255.255 any

Rene


(Donald S) #3

Yes. Removing the deny for the internal LAN seems to have fixed the problem.

80 deny ip 192.168.0.0 0.0.0.255 any

Thanks Rene