General ACL for traffic cleaning / security

I started to apply the acl attached in an attempt to clean up our WAN traffic. We work with each site to clean things up in the source, but in order to be proactive, we thought that the clip is a good start. It also helps children issue on LANs. It essentially restricts these troublesome protocols (port 137, 138, 139, etc) for only our address space. In order to reduce the traffic "wandering" of virui, worms and others. Any recommendations on improving this list? We look at the deployment of a system IDS, but it will probably be only in the kernel to start. I know this is not a large ACL but is a start, and is better than nothing. Just try to be proactive and keep things a secure as possible.

Hi bberry.

don't really know why you allow netbios ports 137 445, 138 139 inside your network to any... I hope that private networks 192.168.0.0/172.16.x.x etc. are your inside networks... Am I wrong? in any case, apart from these ports, make sure you also block the ports given below:

79 TCP - finger, UDP 161/162 - / SNMP, TCP 513 - Rlogin, UDP 513 trap - which TCP/UDP 514 - syslog

you need to block all these out if not necessary... This is really vulanarable...

You must also disable unnecessary services on the router as CDP, small servers TCP/UDP, finger, http server, a bootp server, routing source ip, proxy arp, ip directed broadcasts etc. If they are not needed...

If the WAN link is an internet link, ask the service provider to apply these rules of access. Apply too many lists of access on your side will eat a lot of resources on the router.

I hope this helps... all the best...

REDA

Tags: Cisco Security

Similar Questions

  • External ACL does not increment for traffic allowed through the site to site VPN

    Hi all, we have many site - to IPSEC VPNS that are sending traffic to us successfully - the largest part of this traffic is FTP or SFTP.

    There is not configuration of the firewall of the SAA sysopt. Access lists have been configured on the external interface of the ASA to allow these VPN for FTP SFTP connections & - however, all counters are 0 when I do a 'show access-list internet-in' for FTP or SFTP.

    There are general IP entries in list of FTP & SFTP natted access connected to the Internet addresses of these FTP servers and these are increment but then there are certain customers who use the internet to transfer files.

    I guess what I was asking is ASA outside increment for traffic access lists allowed by VPN? The access list entries are for THEIRINTERNALIP to OURINTERNALIP (according to crypto card)

    Just to add that these ACL is configured through groups of objects in the case that matters - also once again that they are correctly transfer files to us - only I don't get where they are allowed.

    Thanks in advance

    Mark

    VPN traffic is flowing properly and there is no ACL allowing UDP 500 or ESP?

    Can you post the output of "sh run all the sysopt"

    Federico.

  • Got a big window that opens indicating 28 (?) virus/infections found and I need to reconfigure / sign up for XP Home Security

    Got a big window that opens indicating 28 (?) virus/infections found and I need to reconfigure / sign up for XP Home Security and allow him to get rid of these infections. Never recorded this before scan. It doesn't let me go anywhere to check anything, can not access the internet, continues to say that you are infected, danger danger, for example. Turned it all off, the computer restarts. Can't do anything with it... Guess I need to take it to someone who can remove the pop up? I have nothing works, it will open a homepage for a second then throw it and packaged pop in front of everyone. Try adware and spybot and windows defender. He stops adware running and sends an error message that it stopped unexpectedly.  Windows Defender shows no abnormalities.  Never had any problems with this desktop computer... used mostly for commercial sites, not a lot of surfing, etc. made. No matter what?

    Hello

    This malware has many names and XP Home Security 2011 is one of them.

    XP Antispyware 2011, Vista Security 2011 and Win 7 Internet Security 2011 rogue change name are
    fake antivirus, a scam to you force to pay for them while they have no advantage at all.

    Uninstall XP Antispyware 2011 and the security of Vista 2011, Win 7 Internet Security 2011 (Uninstall Guide)
    <-- read="" this="">
    http://www.bleepingcomputer.com/virus-removal/remove-win-7-Internet-Security-2011

    It can be made repeatedly in Mode safe - F8 tap that you start, however, you must also run
    the regular windows when you can.

    Download malwarebytes and scan with it, run MRT and add Prevx to be sure that he is gone. (If Rootkits run UnHackMe)

    Download - SAVE - go to where you put - right-click on it - RUN

    Malwarebytes - free
    http://www.Malwarebytes.org/products/malwarebytes_free

    Run the malware removal tool from Microsoft

    RUN - type in the box-> MRT.exe

    You should get this tool and its updates via Windows updates - if necessary, you can download it here.

    Download - SAVE - go to where you put - right-click on it - RUN
    (Then run MRT as shown above.)

    Microsoft Malicious - 32-bit removal tool
    http://www.Microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

    Microsoft Malicious removal tool - 64 bit
    http://www.Microsoft.com/downloads/details.aspx?FamilyId=585D2BDE-367F-495e-94E7-6349F4EFFC74&displaylang=en

    also install Prevx to be sure that it is all gone.

    Download - SAVE - go to where you put - right-click on it - RUN

    Prevx - Home - free - small, fast, exceptional CLOUD protection, working with other security programs.
    It is a single scanner, VERY EFFICIENT, if it finds something to come back here or use Google for
    see how to remove.
    http://www.prevx.com/   <-->
    http://info.prevx.com/downloadcsi.asp  <-->

    Choice of PCmag editor - Prevx-
    http://www.PCMag.com/Article2/0, 2817,2346862,00.asp

    Try the demo version of Hitman Pro:

    Hitman Pro is a second scanner reviews, designed to save your computer from malicious software (viruses,
    Trojan horses, rootkits, etc.). that has infected your computer despite all security measures you have taken
    (such as the anti-virus software, firewall, etc.).
    http://www.SurfRight.nl/en/hitmanpro

    --------------------------------------------------------

    If necessary here are some free online scanners to help the

    http://www.eset.com/onlinescan/

    -----------------------------------

    Original version is now replaced by the Microsoft Safety Scanner
    http://OneCare.live.com/site/en-us/default.htm

    Microsoft safety scanner
    http://www.Microsoft.com/security/scanner/en-us/default.aspx

    ----------------------------------

    http://www.Kaspersky.com/virusscanner

    Other tests free online
    http://www.Google.com/search?hl=en&source=HP&q=antivirus+free+online+scan&AQ=f&OQ=&AQI=G1

    --------------------------------------------------------

    Also do to the General corruption of cleaning and repair/replace damaged/missing system files.

    Run DiskCleanup - start - all programs - Accessories - System Tools - Disk Cleanup

    RUN - type in the box-

    sfc/scannow

    Then run checkdisk (chkdsk).

    RUN - type in the box-

    Chkdsk /f /r

    -----------------------------------------------------------------------

    If we find Rootkits use this thread and other suggestions. (Run UnHackMe)

    http://social.answers.Microsoft.com/forums/en-us/InternetExplorer/thread/a8f665f0-C793-441A-a5b9-54b7e1e7a5a4/

    I hope this helps.

    Rob Brown - Microsoft MVP<- profile="" -="" windows="" expert="" -="" consumer="" :="" bicycle="" -="" mark="" twain="" said="" it="">

  • Why no implicit route for traffic from IPSec-L2L tunnel?

    In a hub-and-spoke IPSec environment, it is not difficult to implement routing by spoke to the hub.

    But on the side of the hub of a tunnel, where the gateway of last resort for traffic by spoke it, it seems almost counterintuitive than the ACL instructions and even cryptographic doesn't implicitly create a route for the traffic of the station in the tunnel at the end (talk).  It could always be replaced with a static if necessary.

    There is probably a good reason for this, but I can't think of it.  Or am I the only person who thinks it is strange... or maybe an opportunity to feature?

    Hello

    This feature exists and is called reverse road injection. The route is created dynamically (based on ACL Cryptography) and is only available when the SA is up.

    http://www.Cisco.com/en/us/docs/iOS/12_3t/12_3t14/feature/guide/gt_rrie.html

    HTH

    Laurent.

  • I spent hours on web sites looking for advice clean my iMac - they were all dead ends.  I send a question to this 'Community' first, but must have done it badly because there was no trace of it.  I have the effect on this model beach ball

    I spent hours on web sites looking for advice clean my iMac - they were all dead ends.  I send a question to this 'Community' first, but must have done it badly because there was no trace of it.  I now have the beach on this computer ball effect.  Are there places I can delete cookies etc to help out?  Thank you for your help.

    horse8905

    Don't know what's happening, you do not give a lot of information, but if you have the constant beachballing (spinning wait cursor), which could mean that the hard drive is dying.

    Open Console.app in Applications > utilities. Filter, called "String Matching," right, high enter "I/o" without the quotes. What happens when you do this?

  • Windows update error 646 for update of security on microsoft works 9

    Windows update error 646 for update of security on microsoft works 9

    See:

    http://support.Microsoft.com/kb/2258121

    TaurArian [MVP] 2005-2011. The information has been provided * being * with no guarantee or warranty.

  • Important updates for Vista SP2 Security Installation failure: update MSXML 4.0 SP2 (KB927978) AND (KB954430) security, citing error Code 652, Windows Update encountered an unknown error!

    Has no significant updates for VISTA SP2 security installation: MSXML 4.0 SP2 (KB927978) security AND (KB954430), citing error Code 652, Windows Update encountered an unknown error! How is it Windows Update does not recognize it's own mistakes? I tried several times to install both of these important updates without success. Please help me so that I can install these two updates & get back on the right track. Thank you!

    See the section "How to get help", for example, http://support.microsoft.com/kb/927978

    Visit the Microsoft Solution Center and antivirus security for resources and tools to keep your PC safe and healthy. If you have problems with the installation of the update itself, visit the Microsoft Update Support for resources and tools to keep your PC updated with the latest updates.

    For enterprise customers, support for security updates is available through your usual support contacts.

    ~ Robear Dyer (PA Bear) ~ MS MVP (that is to say, mail, security, Windows & Update Services) since 2002 ~ WARNING: MS MVPs represent or work for Microsoft

  • Windows KB2572067 for Windows XP security update shows every day. I'm updating, appearantly successfully and 15-20 min. trying to update again. How to solve this?

    Windows KB2572067 for Windows XP security update shows every day.  I'm updating, appearantly successfully and 15-20 min. trying to update again.  How to solve this?

    Hello

    Thanks for posting the request in the Microsoft Community.

    It would be great if you can answer the following questions:

    1 have had any changes made on the computer before the show?

    2. the problem occurs for a particular update?

    Method 1:

    See the article and try to run Microsoft Fix it:

    The problem with Microsoft Windows Update is not working

    http://support.Microsoft.com/mats/windows_update/en-us

    Method 2:

    I suggest you to see link and check if it helps:

    Troubleshooting Windows Update or Microsoft Update when you are repeatedly offered an update

    http://support.Microsoft.com/kb/910339

    Let us know if it helps.

  • HP Stream 13.3: master password for the software security device

    I recently bought my HP laptop and I thought it would bw a good idea to use the password and I created and do not remember for the life of me what it is. Using google and see what I could do. He told me that I could restore the computer to factory settings and keep my files and clear the password. I tried and when I logged on today he again asked me the password into a box that says: Please enter the master password for the software security device. I tried all how can I get rid of this or reset it so that I can pick one and write it down. It won't let me connect on the Web site of my school because even if I click cancel it tell me that I can get because it cannot determine my credentials. Yes, even though I entered in my password for my school site which is not serious because I do not know the master password! Please help as soon as you can!

    PiTT

    E-mail: [email protected]

    See the document of support here:

    https://support.Mozilla.org/en-us/KB/reset-your-master-password-if-you-forgot-it

  • KB2631813 for Windows XP security update has failed repeatedly to install (error code: 0 x 8007003)

    original title: KB2631813 for Windows XP security update has failed repeatedly to install

    Update KB2631813 for Windows XP security repeatedly failed to install - error code 0 x 8007003. All other updates install successfully. None of the proposed solutions have worked so far including clear update history.

    should [1] I really KB2631813?

    [2] my computer seems not to like it.

    [3] do you think that KB2631813 is really all this effort?

    A1. Yes, as much as you need at every update of safety critical other.

    Note that the vulnerability being patched (e.g., MS12-004) requires KB2598479 and KB2631813 to install! IOW, your computer is still vulnerable to the exploit if if KB2631813 is not installed.

    A2. Your computer 'loved' KB975562 (which is replaced or replaced by KB2631813), so it should also 'like' KB2631813.

    A3. Is the security of your computer and data to this topic (e.g., banking online & credit card passwords) really this effort?

    Repost...

    Visit the Microsoft Solution Center and antivirus security for resources and tools to keep your PC safe and healthy. If you have problems with the installation of the update itself, visit the Microsoft Update Support for resources and tools to keep your PC updated with the latest updates.

  • How to install the update for CAPICOM (KB931906) Security Version 2.1.0.2

    original title: implementation of security update for CAPICOM (KB931906) Version 2.1.0.2

    How can I take care of this update for CAPICOM (KB931906) security Publisher Version 2.1.0.2 Http//support_microsoft.com?Kbid=931906

    Hi FOTISmaheras,
     
    -What exactly is the problem you are having? Are you unable to install this update?
    -If Yes, are the other updates complete the installation successfully without any problem?
     
    CAPICOM is a component of Windows that provides services to programs that allow cryptography-based security. This includes the features of authentication which uses digital signatures for enveloping messages and to encrypt and decrypt data.

    Note This update requires Microsoft Windows Installer version 3.0 or a later version of Windows Installer.

     
    For more information, click on the number below to view the article in the Microsoft Knowledge Base:
    292539 How to obtain the Windows Installer engine
     
     
    Download the stand-alone update package and install it manually.
  • XP does not start, unable to run the command line for the clean boot

    Hello

    For the last two weeks, I've been unable to boot XP, caused by a virus, I think. I can get into safe mode, but stopped to run antivirus software because I said that I don't have the appropriate privileges. There is no system restore points available, and I think that my computer is too old for me to ask the manufacturer (HP) for an OEM drive.

    Now that I found this forum, I decided to try the suggestion of the thread stickied for a clean boot, but I can't even click on RUN and load the command prompt. I click, but nothing happens. Many programs in safe mode did the same thing for me.

    Is there another way to enter the guest so I can try to get a clean boot? Is there another way to access msconfig? I read here that I can click on F10 to try HP and XP 'factory re - install', but the HP splash screen is no longer, perhaps due to a new card mother MSI, I put a few months ago. Any help?

    If all else fails, I buy a Windows 7 Upgrade disk and which will still work? Or would I need to buy the complete installation of W7 to "clean up" my system?

    Thank you.

    Jacob S.,.
    Thanks for posting with us.  Have you tried to run MSConfig from safe mode?  If the immediate window does not work, you can right click on your taskbar and start the Task Manager.  From there, you can select file > new task > and then type msconfig in the window.

    With respect to obtaining OEM disc, you may be able to buy them from HP, but since you have replaced the motherboard and then the OEM disc probably does not work.  You should check with HP on this one.

    If you buy the upgrade to Windows 7 you can do a clean install, but it should be started from Windows.  You insert the DVD in the drive so that the desktop, and then select the custom Setup to perform a clean installation.  It will validate your XP before you start the installation.

    Now if you think that your PC has a virus (which it sounds like it might) then you can try using a free online virus scan.  You should be able to run one of them without blocking.  Also, make sure that you log on with an administrator account.  Here is a link to a scan online, that you can try, or you can search bing for others that are out there.
    http://OneCare.live.com/site/en-us/default.htm Mike - Engineer Support Microsoft Answers
    Visit our Microsoft answers feedback Forum and let us know what you think.

  • Downloadable ACLs for users of VPN

    Hello

    I replaced the old pix with ASA (7.2). There were groups configured for the remote VPN users authenticated through the ACS and ACS download a specific ACL for each group to the PIX. After the replacement, users cannot establish the VPN connection. After troubleshooting, I discovered that the downloadable ACLs were not working very well. When I disabled this option the established tunnel. When I get back to the old pix with the same configuration, it works very well with downloadable ACL option. I opened a TAC case and he said the v3.0 ACS (I) are not compatible with the ASA. He did not really convince me and he asked to try to use the option to pair AV. I tried option pair AV with ASA and it did not work also. can you please advice.

    Hello

    Check out this point,

    http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCef21184

    In addition, 3.0 is very old, and I guess that in this version, we have "Downloadable PIX ACL" and not "downloadable IP ACL", on ASA download able ACL will work but with "Downloadable IP ACL" but not with "Downloadable PIX ACL".

    Kind regards

    Prem

  • I am looking for ENE PCI Secure Digital / MMC Card Reader Controller for Windows 7 64-bit.

    Hello

    I am looking for ENE PCI Secure Digital / MMC Card Reader Controller for Windows 7 64-bit.

    Any ideas, please?

    Hello

    I did a system image (drive C :) and a rescue of dvd of Windows 7) Cool, it uses a Volume Snapshot.

    Then, I installed the Vista 64 bit drivers successfully.

    The drivers are:
    -ENE PCI Memory Stick Card Reader Controller

    -Card Secure Digital ENE PCI / MMC Card Reader Controller

    -AuthenTec Inc. AES2501A (fingerprint)

    -Trust Webcam 15007

    Unfortunaly, the imprint does not work. I thnik my fingerprint is not compatible with the new Windows Biometric Framework (http://windowsteamblog.com/blogs/windows7/archive/2009/01/08/windows-7-puts-it-s-finger-on-enhanced-biometric-support.aspx)

    Thank you all, bye.

  • Can I use my Windows 7 Edition recovery disks Home Premium for a clean install on my old Windows XP computer?

    Hello world!  I hope someone can help.

    Can I use my Windows 7 Edition recovery disks Home Premium for a clean install on my old Windows XP computer?

    If this is a recovery from a different computer disk, you are unable to do so.

    In addition, if you were to format the computer, you will need to have a way to reinstall a copy of Windows with a genuine license.

    The best option if you need Windows 7 Home Premium is to buy a genuine license then you can make a custom (new installation).

    Where can I still get Windows 7?

    Version upgrade - Microsoft Windows 7 Home Premium Upgrade

    http://www.notebooks.com/2009/10/13/WinXP-to-Win7/

Maybe you are looking for

  • When I hover over a link, Firefox adds the site before my link makes it bad.

    I was check the compatibility of my site. So I opened http://www.sethermal.com. It was fine until I flew over a link. Firefox has added the site and broke the link. For example.I entered the address bar www.sethermal.com . The site came fine.I hover

  • do get you charged each time you access an application?

    Downloaded an app for I Tunes security camera and I see my card being charged a 1.00 $6 + times on my credit card and I just downloaded the app to my computer, tv, phone and I have pad. Get you charged each time you access the cameras/app?

  • Can someone convert my VI?

    Hey,. I was wondering if someone could convert this 9.0 version 8.6 VI. I would be very grateful if you could. Thank you

  • Windows could not search for new updates

    I could not update Windows since last December. I received the error code 80070490. I tried to use my Windows installation disks to be upgraded, but the upgrade option is dimmed (not available). I tried to run CheckSur, but it has not solved the prob

  • XP Pro - Can I password protect Windows as a whole?

    I am the only user on the computer. After that I entered the password for the user, is it possible to password protect everything in Windows, not only certain files and folders? Otherwise, what is my best bet? Thank you