Access List Help

I have the Following Access list setup for one of our Offices. Its on a Cisco 2610XM that has T1's to the internet. The list is applied to the MFR0 interface I'm wondering if I should Have the Router Filter out this stuff, or pass it along to the firewall (PIX 515e) and have it filter out the stuff.

The one thing I like about the Firewall is that I can log all of the Traffic.

Thank you, Scott

Reply to
Scott Townsend
Loading thread data ...

IOS can also log denied traffic using the keyword log or log-input at the end of each aCL statement. You want to be careful that it not not consume too much CPU - make sure console logging is disabled !!!

In addition with IOS, you can see the ACL matches for each ACL condition by using the show access-list command

Reply to
Merv

Thank you for your reply.

I know that you can log the Access-Lists on the Router, though I just didn't want to have to open a Port for the Syslog server on the inside of the firewall.

I was just wondering if the Firewall would be a better Packet Denier vs. the Router as that's what the Firewall does?

Reply to
Scott Townsend

You take a performance hit just for having -any- access-list applied on any interface [at least until the x800 series]. Enabling ip cef generally minimizes the performance hit (compared to other filtering control mechanisms).

formatting link
If you are using a new enough IOS, there are [if I recall correctly] also "compiled" access-lists which make ACL processing much faster, but at the cost of requiring a lot of memory.

My personal rule of thumb is to use router ACLs to protect the infrastructure itself (e.g., prevent spoofed packets from getting inwards), and to block RFC1918 private ranges -- and then to hand the rest off to the firewall. If I do not happen to be using RFC1918 ranges internally, I'd consider handing control of those over to the firewall too. [There are some situations in which it is most convenient to use an RFC1918 range between the router and the firewall -- you can't always spare a public subnet.]

Reply to
Walter Roberson

Reply to
Scott Townsend

This actually has nothing to do with your question but I see a bit of a flaw in your ACL that I figured you might want to know...

access-list 103 deny icmp any any access-list 103 deny icmp any 0.0.0.0 255.255.255.0 access-list 103 deny icmp any 0.0.0.255 255.255.255.0 access-list 103 deny icmp any any redirect

the first of all these lines denies everything ICMP related, so the other lines are redundant and do absolutely nothing, so you'll either want to reorder them if you're looking for logging (and of course add the log keyword).

But something else you'll want to realize - if you deny ALL ICMP you're blocking Path MTU Discovery which can be very important in some cases (some apps rely on it, as well as many OS's). Although things will still work, they will be suboptimal if you don't allow PMTUD.

To make sure PMTUD continues to function, you'll want to allow ICMP unreachable and time-exceeded.

I usually permit these two ICMP types, then deny all other ICMP traffic on my Internet facing router.

Just a side note that can drastically affect performance...

Ryan

Reply to
rdymek

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.