https://community.cisco.com/t5/network-security/simple-acl-outside-interface/m-p/2344151#M343281 <HTML><HEAD></HEAD><BODY><P>Hello Dan,</P><P></P><P>Yeah, you could also try to use reflexive ACLs but that's certanly not as scalable as the ZBFW option.</P><P></P><P></P><P><SPAN>For more information about Core and Security Networking follow my website at </SPAN><A class="jive-link-external-small" href="http://laguiadelnetworking.com">http://laguiadelnetworking.com</A><SPAN> </SPAN><BR /> <BR /><SPAN>Any question contact me at </SPAN><A class="jive-link-email-small" href="mailto:jcarvaja@laguiadelnetworking.com">jcarvaja@laguiadelnetworking.com</A><SPAN> </SPAN><BR /> <BR />Cheers, <BR /> <BR />Julio Carvajal Segura</P></BODY></HTML> Tue, 10 Sep 2013 19:26:39 GMT Julio Carvajal 2013-09-10T19:26:39Z https://community.cisco.com/t5/network-security/simple-acl-outside-interface/m-p/2344142#M343272 <P>Hello,</P><P></P><P>Does a router require a Firewall license in order to apply an ACL in the inward direction on an outside interface?&nbsp; I have a router which I use to NAT our internal network and I want to apply a simple ACL to block unwanted access to the router from the internet.&nbsp; As soon as this ACL is applied the users cannot browse the internet.&nbsp; I do have a couple of other ISR routers with a firewall license and I use the inspect commands.&nbsp; This is an ASR which may be different, but I do not have the firewall license applied to this router.</P><P></P><P>Any help would be great.</P><P></P><P>Thanks,</P><P>Dan.</P> Tue, 12 Mar 2019 02:35:57 GMT https://community.cisco.com/t5/network-security/simple-acl-outside-interface/m-p/2344142#M343272 dan.letkeman 2019-03-12T02:35:57Z https://community.cisco.com/t5/network-security/simple-acl-outside-interface/m-p/2344143#M343273 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>No need for the ACL,</P><P></P><P>You can provide us the configuration and then we will analize it for you</P><P></P><P></P><P><SPAN>For more information about Core and Security Networking follow my website at </SPAN><A class="jive-link-external-small" href="http://laguiadelnetworking.com">http://laguiadelnetworking.com</A><SPAN> </SPAN><BR /> <BR /><SPAN>Any question contact me at </SPAN><A class="jive-link-email-small" href="mailto:jcarvaja@laguiadelnetworking.com">jcarvaja@laguiadelnetworking.com</A><SPAN> </SPAN><BR /> <BR />Cheers, <BR /> <BR />Julio Carvajal Segura</P></BODY></HTML> Mon, 09 Sep 2013 21:38:20 GMT https://community.cisco.com/t5/network-security/simple-acl-outside-interface/m-p/2344143#M343273 Julio Carvajal 2013-09-09T21:38:20Z https://community.cisco.com/t5/network-security/simple-acl-outside-interface/m-p/2344144#M343274 <HTML><HEAD></HEAD><BODY><P>Ok, so what do you use to secure the router?</P><P></P><P>There is nothing notable about the config.&nbsp; Inside interface, outside interface and nat in between.</P><P></P><P>interface GigabitEthernet0/0/0</P><P> description Outside Interface</P><P> ip address 64.64.20.64 255.255.255.128 secondary</P><P> ip address 37.7.7.8 255.255.255.252</P><P> ip nat outside</P><P> negotiation auto</P><P> cdp enable</P><P> ip virtual-reassembly</P><P>!</P><P>interface GigabitEthernet0/0/1</P><P> description Inside Interface</P><P> ip address 10.110.1.1 255.255.255.0</P><P> ip nat inside</P><P> negotiation auto</P><P> cdp enable</P><P> no ip virtual-reassembly</P><P></P><P>ip nat pool pool-159.1 64.64.20.64 64.64.20.64 netmask 255.255.255.128</P><P><SPAN style="font-size: 10pt;">ip nat inside source list ip-nat-159.1 pool pool-159.1 overload</SPAN></P></BODY></HTML> Tue, 10 Sep 2013 14:39:59 GMT https://community.cisco.com/t5/network-security/simple-acl-outside-interface/m-p/2344144#M343274 dan.letkeman 2013-09-10T14:39:59Z https://community.cisco.com/t5/network-security/simple-acl-outside-interface/m-p/2344145#M343275 <HTML><HEAD></HEAD><BODY><P>Hello Dan,</P><P></P><P>I meant no need for a license in order to use ACLs.</P><P></P><P>Can you share the configuration you have when the issue happens?</P><P></P><P><SPAN>For more information about Core and Security Networking follow my website at </SPAN><A class="jive-link-external-small" href="http://laguiadelnetworking.com">http://laguiadelnetworking.com</A><SPAN> </SPAN><BR /> <BR /><SPAN>Any question contact me at </SPAN><A class="jive-link-email-small" href="mailto:jcarvaja@laguiadelnetworking.com">jcarvaja@laguiadelnetworking.com</A><SPAN> </SPAN><BR /> <BR />Cheers, <BR /> <BR />Julio Carvajal Segura</P></BODY></HTML> Tue, 10 Sep 2013 15:58:53 GMT https://community.cisco.com/t5/network-security/simple-acl-outside-interface/m-p/2344145#M343275 Julio Carvajal 2013-09-10T15:58:53Z https://community.cisco.com/t5/network-security/simple-acl-outside-interface/m-p/2344146#M343276 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>either you use CBAC with the inspect commands and an inbound ACL on the WAN interface or you can use ZBF(zone Based Firewall) and in this case you don't need any ACL inbound on the WAN interface.</P><P>Can you tell us which ISR you've got so we can tell you which IOS/licence you need for the firewall feature(CBAC or ZBF).</P><P></P><P>Regards</P><P></P><P>Alain</P><P></P><P></P><P>Don't forget to rate helpful posts.</P></BODY></HTML> Tue, 10 Sep 2013 16:00:09 GMT https://community.cisco.com/t5/network-security/simple-acl-outside-interface/m-p/2344146#M343276 cadet alain 2013-09-10T16:00:09Z https://community.cisco.com/t5/network-security/simple-acl-outside-interface/m-p/2344147#M343277 <HTML><HEAD></HEAD><BODY><P>Ah ok, then I belive I must do some troubleshooting with the ACL then.&nbsp; I'm sure I am blocking something that is needed.&nbsp; I am basically denying everything except the traffic from our ISP for our BGP peer.</P><P></P><P>10 permit ip 64.64.0.0 0.0.255.255 any (8866 matches)</P><P><SPAN style="font-size: 10pt;">30 permit udp any any eq ntp (4916 matches)</SPAN></P><P>40 permit icmp any any echo-reply (9685 matches)</P><P>50 permit udp any any eq domain (477 matches)</P><P>60 permit tcp any any eq domain (13 matches)</P><P>1000 deny ip any any log (49238 matches)</P><P></P><P>Thanks,</P><P>Dan.</P></BODY></HTML> Tue, 10 Sep 2013 19:00:36 GMT https://community.cisco.com/t5/network-security/simple-acl-outside-interface/m-p/2344147#M343277 dan.letkeman 2013-09-10T19:00:36Z https://community.cisco.com/t5/network-security/simple-acl-outside-interface/m-p/2344148#M343278 <HTML><HEAD></HEAD><BODY><P>Its not an ISR its and ASR as posted on the first post.</P></BODY></HTML> Tue, 10 Sep 2013 19:01:10 GMT https://community.cisco.com/t5/network-security/simple-acl-outside-interface/m-p/2344148#M343278 dan.letkeman 2013-09-10T19:01:10Z https://community.cisco.com/t5/network-security/simple-acl-outside-interface/m-p/2344149#M343279 <HTML><HEAD></HEAD><BODY><P>Hello Dan,</P><P></P><P>The thing is that with the configuration you are denying HTTP , HTTPs, FTP, etc ,etc.</P><P></P><P>Is that what you are looking for, cause with that you will not allow access to any website.</P><P></P><P>My recomendation would be to use an inspection engine such as ZBFW that allows you to protect the internal network from outside users while still allowing all traffic from Inside to Outside.</P><P></P><P></P><P></P><P><SPAN>For more information about Core and Security Networking follow my website at </SPAN><A class="jive-link-external-small" href="http://laguiadelnetworking.com">http://laguiadelnetworking.com</A><SPAN> </SPAN><BR /> <BR /><SPAN>Any question contact me at </SPAN><A class="jive-link-email-small" href="mailto:jcarvaja@laguiadelnetworking.com">jcarvaja@laguiadelnetworking.com</A><SPAN> </SPAN><BR /> <BR />Cheers, <BR /> <BR />Julio Carvajal Segura</P></BODY></HTML> Tue, 10 Sep 2013 19:09:15 GMT https://community.cisco.com/t5/network-security/simple-acl-outside-interface/m-p/2344149#M343279 Julio Carvajal 2013-09-10T19:09:15Z https://community.cisco.com/t5/network-security/simple-acl-outside-interface/m-p/2344150#M343280 <HTML><HEAD></HEAD><BODY><P>Yes I agree, unfortunetly that would requre a license.</P><P></P><P>Dan.</P></BODY></HTML> Tue, 10 Sep 2013 19:22:46 GMT https://community.cisco.com/t5/network-security/simple-acl-outside-interface/m-p/2344150#M343280 dan.letkeman 2013-09-10T19:22:46Z https://community.cisco.com/t5/network-security/simple-acl-outside-interface/m-p/2344151#M343281 <HTML><HEAD></HEAD><BODY><P>Hello Dan,</P><P></P><P>Yeah, you could also try to use reflexive ACLs but that's certanly not as scalable as the ZBFW option.</P><P></P><P></P><P><SPAN>For more information about Core and Security Networking follow my website at </SPAN><A class="jive-link-external-small" href="http://laguiadelnetworking.com">http://laguiadelnetworking.com</A><SPAN> </SPAN><BR /> <BR /><SPAN>Any question contact me at </SPAN><A class="jive-link-email-small" href="mailto:jcarvaja@laguiadelnetworking.com">jcarvaja@laguiadelnetworking.com</A><SPAN> </SPAN><BR /> <BR />Cheers, <BR /> <BR />Julio Carvajal Segura</P></BODY></HTML> Tue, 10 Sep 2013 19:26:39 GMT https://community.cisco.com/t5/network-security/simple-acl-outside-interface/m-p/2344151#M343281 Julio Carvajal 2013-09-10T19:26:39Z https://community.cisco.com/t5/network-security/simple-acl-outside-interface/m-p/2344152#M343282 <HTML><HEAD></HEAD><BODY><P>Very interesting.&nbsp; I will look into this some more.&nbsp; As far as not being as scalable are there certain gotcha's with these ACl's?</P></BODY></HTML> Tue, 10 Sep 2013 19:36:01 GMT https://community.cisco.com/t5/network-security/simple-acl-outside-interface/m-p/2344152#M343282 dan.letkeman 2013-09-10T19:36:01Z https://community.cisco.com/t5/network-security/simple-acl-outside-interface/m-p/2344153#M343283 <HTML><HEAD></HEAD><BODY><P>Looks like reflexive acl's are also not an option without a license.</P></BODY></HTML> Wed, 11 Sep 2013 02:26:49 GMT https://community.cisco.com/t5/network-security/simple-acl-outside-interface/m-p/2344153#M343283 dan.letkeman 2013-09-11T02:26:49Z