FREE VIDEO: Harden your Cisco Router with IOS ACLs

Recently, I created a short video that shows you how to secure your Cisco router using Access-control lists (ACL) in the Cisco IOS. It is a step-by-step ten-minute video. It was originally published over at SearchNetworking.com.

In this video, I walk you through the steps you’ll need to take to use Cisco IOS access control lists (ACLs) to define and filter traffic for better network security.

CLICK HERE TO LEARN ABOUT OUR CISCO CCNA VIDEO TRAINING!

Here is my network diagram (click on it to enlarge it):

Here is the actual ACL used in the video:

! SAMPLE ACL
!
!Notes-
!DNS resolution must be happening locally
!Default gateways must be configured on each side of the network
!If you were doing this between a LAN and the Internet, you would have NAT to
take into account
!Reflexive access-lists or firewall features can be used to improve on this

ip access-list extended less-secure
remark allow all hosts on 10 net to access web server
permit tcp 10.1.1.0 0.0.0.255 host 192.168.1.200 eq www
permit tcp 10.1.1.0 0.0.0.255 host 192.168.1.200 eq 443

remark allow RESPONSE to secure PC’s requets for access to web, ftp control,
data, smtp, and pop3 on 10 net
permit tcp 10.1.1.0 0.0.0.255 eq www host 192.168.1.201
permit tcp 10.1.1.0 0.0.0.255 eq ftp host 192.168.1.201
permit tcp 10.1.1.0 0.0.0.255 eq ftp-data host 192.168.1.201
permit tcp 10.1.1.0 0.0.0.255 eq smtp host 192.168.1.201
permit tcp 10.1.1.0 0.0.0.255 eq pop3 host 192.168.1.201

ip access-list extended more-secure
remark allow web server to respond to all hosts on 10 net
permit tcp host 192.168.1.200 eq www 10.1.1.0 0.0.0.255
permit tcp host 192.168.1.200 eq 443 10.1.1.0 0.0.0.255

remark allow PC full access to make requests to less secure network
permit tcp host 192.168.1.201 10.1.1.0 0.0.0.255

int fa4
ip access-group less-secure in

int vlan1
ip access-group more-secure in