Cisco Config Cookbook A nice start for an ACL remark *** bogons (bogus outside networks) deny ip 0.0.0.0 1.255.255.255 any log-input deny ip 2.0.0.0 0.255.255.255 any log-input deny ip 5.0.0.0 0.255.255.255 any log-input deny ip 7.0.0.0 0.255.255.255 any log-input deny ip 10.0.0.0 0.255.255.255 any log-input deny ip 23.0.0.0 0.255.255.255 any log-input deny ip 27.0.0.0 0.255.255.255 any log-input deny ip 31.0.0.0 0.255.255.255 any log-input deny ip 36.0.0.0 1.255.255.255 any log-input deny ip 39.0.0.0 0.255.255.255 any log-input deny ip 41.0.0.0 0.255.255.255 any log-input deny ip 42.0.0.0 0.255.255.255 any log-input deny ip 49.0.0.0 0.255.255.255 any log-input deny ip 50.0.0.0 0.255.255.255 any log-input deny ip 58.0.0.0 1.255.255.255 any log-input deny ip 60.0.0.0 0.255.255.255 any log-input deny ip 70.0.0.0 1.255.255.255 any log-input deny ip 72.0.0.0 7.255.255.255 any log-input deny ip 82.0.0.0 1.255.255.255 any log-input deny ip 84.0.0.0 3.255.255.255 any log-input deny ip 88.0.0.0 7.255.255.255 any log-input deny ip 96.0.0.0 31.255.255.255 any log-input deny ip 169.254.0.0 0.0.255.255 any log-input deny ip 172.16.0.0 0.15.255.255 any log-input deny ip 192.0.2.0 0.0.0.255 any log-input deny ip 192.168.0.0 0.0.255.255 any log-input deny ip 197.0.0.0 0.255.255.255 any log-input deny ip 198.18.0.0 0.1.255.255 any log-input deny ip 201.0.0.0 0.255.255.255 any log-input deny ip 222.0.0.0 1.255.255.255 any log-input deny ip 224.0.0.0 31.255.255.255 any log-input remark *** protocols remark *** legacy small services no longer used deny tcp any any range 0 19 log-input deny udp any any range 0 19 log-input remark *** snmp deny tcp any any range 161 162 log-input deny udp any any range 161 162 log-input deny tcp any any eq 199 log-input deny udp any any eq 199 log-input deny tcp any any eq 391 log-input deny udp any any eq 391 log-input deny tcp any any eq 705 log-input deny udp any any eq 705 log-input deny tcp any any eq 1993 log-input deny udp any any eq 1993 log-input remark *** lan-only dhcp and tftp deny udp any any range 67 69 log-input deny tcp any any range 67 69 log-input remark *** microsoft netbios deny tcp any any range 135 139 log-input deny udp any any range 135 139 log-input deny tcp any any eq 445 log-input deny udp any any eq 445 log-input remark *** unix rpc deny tcp any any eq 111 log-input deny udp any any eq 111 log-input remark *** lan-only unix services deny tcp any any range 511 515 log-input deny udp any any range 511 515 log-input remark *** ircd deny tcp any any eq 6667 log-input deny udp any any eq 6667 log-input remark *** icmp fragments deny icmp any any fragments log-input remark *** inbound ping permit icmp any any echo remark *** inbound ping response permit icmp any any echo-reply remark *** path MTU to function permit icmp any any packet-too-big remark *** flow control permit icmp any any source-quench remark *** time exceeded messages for traceroute and loops permit icmp any any time-exceeded remark *** block all other ICMP packets deny icmp any any log-input remark *** permit everything else permit ip any any [back]