We are updating ACLs on our Internet facing routers and would like to restrict inbound traffic to the IP addresses of the hide-NAT entries.
From what I can see in the following URL, hide-NAT uses port 600-1023, 10,000-60,000 and 60,001-65,000.
Could someone please confirm if this information is up to date and ideally give more information when/if the low ports (600-1023) and extra ports (60001-65000) are needed?
I would also like to know if these ports are used for both UDP and TCP connections or only for TCP. The main outbound UDP services that we are using are DNS and NTP, plus audio/video.
Please find below a sample ACL for inbound reply traffic for the hide-NAT address (x.x.x.x). Ideally we would like to restrict it further if possible.
permit tcp any host x.x.x.x range 600 1023
permit tcp any host x.x.x.x range 10000 65000
permit udp any host x.x.x.x range 600 1023
permit udp any host x.x.x.x range 10000 65000
We are running R80.20 on the security gateways and R80.40 on the management servers.
Thanks for your help!