A proposal for the configuration of the router/firewall frome IT technician completed by DHA and based on the actual configuration: (The file is on ICT3 in E: folder PCproject) Easier way to read and to maintain access-list 10 permit 10.0.1.0 0.0.0.63 (Place of adresses to be NAT) ->Access list OUT (of network 196.25.228.40) access-list 100 permit any any established (Authorise responses of circuits TCP/IP) access-list 100 permit udp host 196.25.228.42 eq domain any log access-list 100 permit ip any host 196.24.1.77 log access-list 100 permit ip any host 196.24.0.69 log access-list 100 permit ip 196.25.228.40 0.0.0.7 any eq www (Authorise consultation of external web sites) access-list 100 permit ip 196.25.228.40 0.0.0.7 any eq dns (Authorise consultation of external DNS) access-list 100 permit ip 196.25.228.40 0.0.0.7 any eq 443 (Authorise consultation of external ssl/https) access-list 100 permit ip 196.25.228.40 0.0.0.7 any eq 20 (Authorise consultation of external ftp-data) access-list 100 permit ip 196.25.228.40 0.0.0.7 any eq 21 (Authorise consultation of external ftp) access-list 100 permit ip 196.25.228.40 0.0.0.7 any eq 22 (Authorise consultation of external ssh) access-list 100 permit ip 196.25.228.40 0.0.0.7 any eq 23 (Authorise consultation of external telnet) access-list 100 permit ip 196.25.228.40 0.0.0.7 any eq 110 (Authorise consultation of external pop3) access-list 100 permit ip 196.25.228.40 0.0.0.7 any eq 585 (Authorise consultation of external imap4) access-list 100 permit ip 196.25.228.40 0.0.0.7 tcp eq 264 (Authorise Secure Client connection) access-list 100 permit ip 196.25.228.40 0.0.0.7 any eq 500 (Authorise Secure Client connection) access-list 100 permit ip 196.25.228.40 0.0.0.7 udp eq 18233 (Authorise Secure Client connection) access-list 100 permit ip 196.25.228.40 0.0.0.7 tcp eq 18231 (Authorise Secure Client connection) access-list 100 permit ip 196.25.228.40 0.0.0.7 udp eq 18234 (Authorise Secure Client connection) access-list 100 permit ip 196.25.228.40 0.0.0.7 udp eq 2746 (Authorise Secure Client connection) acces-list 100 permit esp 196.25.228.40 0.0.0.7 (Authorise Secure Client connection) acces-list 100 permit ah 196.25.228.40 0.0.0.7 (Authorise Secure Client connection) … (add one line for each other needed protocol authorisation) ->Access list IN (in network 196.25.228.40) access-list 101 permit any host 196.25.228.45 established log (Response of server WWW) access-list 101 permit any host 196.25.228.42 established log (Response du server DNS, DOMAIN) access-list 101 permit ip host 196.24.1.77 any log (access to confident computer 196.24.1.77) access-list 101 permit ip host 196.24.0.69 any log (access to confident computer 196.24.0.69) access-list 101 deny ip 196.25.228.40 0.0.0.7 any (Protect public space against usurpation) access-list 101 deny ip host 172.16.1.54 host 172.16.1.54 (protect 172.16.1.54 against usurpation (on S0 of router) access-list 101 deny ip 127.0.0.0 0.255.255.255 any (interdiction of "localhost") access-list 101 deny ip 0.0.0.0 0.255.255.255 any (interdictiom of class 0) access-list 101 deny ip 10.0.0.0 0.255.255.255 any log (Interdiction of private network A) access-list 101 deny ip 172.16.0.0 0.15.255.255 any log (Interdiction of private network B) access-list 101 deny ip 192.168.0.0 0.0.255.255 any log (Interdiction of private network C) access-list 101 deny ip 224.0.0.0 15.255.255.255 any (Interdiction of class multicast) access-list 101 deny ip any host 196.25.228.47 (Interdiction of part "broadcast" of it public class) access-list 101 deny ip any host 196.25.228.40 (Interdiction of address "network" of it public class) access-list 101 deny icmp any any echo (stop ICMP echo) access-list 101 deny icmp any any redirect (stop ICMP redirect) access-list 101 deny icmp any any mask-request (stop ICMP masj-request) access-list 101 permit icmp any 196.25.228.40 0.0.0.7 log (authorise execution des other commands ICMP on public space) … (complete if any other specific interdictions or authorisation) access-list 101 permit tcp any host 196.25.228.42 eq smtp log access-list 101 permit udp any host 196.25.228.42 eq domain log access-list 101 permit tcp any host 196.25.228.42 eq domain log access-list 101 permit tcp any host 196.25.228.42 eq 42 log access-list 101 permit udp any host 196.25.228.42 eq nameserver log access-list 101 permit tcp any host 196.25.228.45 eq www log *** COMMENTS/INFO Some of the major protocols: ftp-data 20 TCP/UDP ftp 21 TCP/UDP ssh 22 TCP/UDP telnet 23 TCP/UDP dns 53 TCP/UDP www/http 80 TCP/UDP pop3 110 TCP/UDP ssl/https 443 TCP/UDP imap4-ssl 585 TCP/UDP The actual complete list of use of tcp and udp is in file 'portsnumbers.txt' ** For Secure Client the following protocols must all be allowed to go out: - TCP/264 (Topology Download) - IKE TCP 500, UDP 500 - IPSEC ESP (IP type 50) - IPSEC AH (IP type 51) The authentication proxy works transparently with the Cisco IOS Firewall IDS and IPSec encryption features. - (UDP 2746 or another port if using UDP encapsulation) - FW1_scv_keep_alive (UDP port 18233) - used for SCV keep-alive packets - FW1_pslogon_NG (TCP port 18231) - used for SecureClient's logon to Policy Server protocol - tunnel_test (UDP port 18234) - used by Check Point tunnel testing applic ** In the configuration, the only machines which get quick responses are the machines : 196.25.228.42 & 45 In the list out it is possible to add: access-list 101 permit any 196.25.228.40 0.0.0.7 established log but in this case that the machines which should protect themselves against false circuits /usurpation ***