https://community.cisco.com/t5/network-security/block-all-inbound-allow-outbound/m-p/1924579#M437629 <HTML><HEAD></HEAD><BODY><P>Nice that worked well... Any reason I wouldn't do:</P><P></P><P>ip inspect name FW ip</P><P>access-list 101 deny ip any any</P><P></P><P>int Fa0/0</P><P> ip inspect FW out</P><P> ip access-group 101 in</P><P></P><P>Just curious. Thanks so much for your help, didn't know about that inspect function.</P><P></P><P>Sent from Cisco Technical Support iPad App</P></BODY></HTML> Sun, 06 May 2012 05:10:43 GMT mattlager 2012-05-06T05:10:43Z https://community.cisco.com/t5/network-security/block-all-inbound-allow-outbound/m-p/1924576#M437626 <P>I've got a simple NAT router. Fa0/0 is outside and Fa0/1 is inside. Inside network is 172.16.1.0/24. Outside network is a single dynamic public IP assigned from the ISP. I'm trying to implement a "Deny by Default" rule set that denies all inbound traffic but allows all outbound traffic, but I can't seem to figure it out. I thought doing something like the following would work but it disables the Internet:</P><P></P><P>access-list 101 deny tcp any any</P><P>access-list 101 deny up any any</P><P></P><P>Then apply it as "in" on Fa0/0.</P><P></P><P>Any advice would be great!</P><P></P><P>Sent from Cisco Technical Support iPad App</P> Mon, 11 Mar 2019 23:02:46 GMT https://community.cisco.com/t5/network-security/block-all-inbound-allow-outbound/m-p/1924576#M437626 mattlager 2019-03-11T23:02:46Z https://community.cisco.com/t5/network-security/block-all-inbound-allow-outbound/m-p/1924577#M437627 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P></P><P>It is not going to work. Basically replies are also tcp packets that are going to be potentially be denied by this rule. How to overcome this issue? Make it stateful, meaning, established sessions from the inside, their return packets are going to be allowed, however, sessions that were not initiated on the inside network rather than being accessed from the outside, they are going to be denied. </P><P></P><P>Apply this</P><P></P><P>ip inspect name FW tcp </P><P>ip inspect name FW udp </P><P>ip inspect name FW icmp </P><P></P><P>access-list 101 deny ip any any </P><P></P><P>int fa 0/0</P><P> ip inspect FW out </P><P> ip access-group 101 in </P><P></P><P>Let me know how it goes. </P><P></P><P>Mike </P></BODY></HTML> Sun, 06 May 2012 04:59:25 GMT https://community.cisco.com/t5/network-security/block-all-inbound-allow-outbound/m-p/1924577#M437627 Maykol Rojas 2012-05-06T04:59:25Z https://community.cisco.com/t5/network-security/block-all-inbound-allow-outbound/m-p/1924578#M437628 <HTML><HEAD></HEAD><BODY><P>Wow awesome that makes sense... I'll go give it a shot!</P><P></P><P>Sent from Cisco Technical Support iPad App</P></BODY></HTML> Sun, 06 May 2012 05:03:35 GMT https://community.cisco.com/t5/network-security/block-all-inbound-allow-outbound/m-p/1924578#M437628 mattlager 2012-05-06T05:03:35Z https://community.cisco.com/t5/network-security/block-all-inbound-allow-outbound/m-p/1924579#M437629 <HTML><HEAD></HEAD><BODY><P>Nice that worked well... Any reason I wouldn't do:</P><P></P><P>ip inspect name FW ip</P><P>access-list 101 deny ip any any</P><P></P><P>int Fa0/0</P><P> ip inspect FW out</P><P> ip access-group 101 in</P><P></P><P>Just curious. Thanks so much for your help, didn't know about that inspect function.</P><P></P><P>Sent from Cisco Technical Support iPad App</P></BODY></HTML> Sun, 06 May 2012 05:10:43 GMT https://community.cisco.com/t5/network-security/block-all-inbound-allow-outbound/m-p/1924579#M437629 mattlager 2012-05-06T05:10:43Z https://community.cisco.com/t5/network-security/block-all-inbound-allow-outbound/m-p/1924580#M437630 <HTML><HEAD></HEAD><BODY><P>I bet your going to say because only tcp, udp, and icmp can be stateful, just a guess this isn't what I'm an expert in <SPAN __jive_emoticon_name="happy"></SPAN></P><P></P><P>Sent from Cisco Technical Support iPad App</P></BODY></HTML> Sun, 06 May 2012 05:20:04 GMT https://community.cisco.com/t5/network-security/block-all-inbound-allow-outbound/m-p/1924580#M437630 mattlager 2012-05-06T05:20:04Z https://community.cisco.com/t5/network-security/block-all-inbound-allow-outbound/m-p/1924581#M437631 <HTML><HEAD></HEAD><BODY><P><SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN> </P><P></P><P>Well basically because there is no general IP inspection. You see, inspection work checking different information under the layer 3/4 in order to keep track of a session. For example in UDP and tcp you grab the Source IP and destination IP plus source and destination ports, with ICMP you grab the same, source IP destination IP and the code (Echo, echo reply and such) </P><P></P><P>If there was such thing like inspect IP, it would only grab source and destination ip address no matter if the packets belong to a valid session or not. What Cisco wanted to do is just to keep real and good track of each session to avoid attacks.</P><P></P><P>Kinda deep, if you want to check more about inspections, whenever you have time, you can take quick look on the following: </P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml">http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml</A></P><P></P><P>Glad I could help a bit. </P><P></P><P>Mike </P></BODY></HTML> Sun, 06 May 2012 05:21:33 GMT https://community.cisco.com/t5/network-security/block-all-inbound-allow-outbound/m-p/1924581#M437631 Maykol Rojas 2012-05-06T05:21:33Z https://community.cisco.com/t5/network-security/block-all-inbound-allow-outbound/m-p/1924582#M437632 <HTML><HEAD></HEAD><BODY><P>Nahh, its alright... first time I saw it it took me several sleepless nights just to understand it... been there donde that....</P></BODY></HTML> Sun, 06 May 2012 05:22:50 GMT https://community.cisco.com/t5/network-security/block-all-inbound-allow-outbound/m-p/1924582#M437632 Maykol Rojas 2012-05-06T05:22:50Z https://community.cisco.com/t5/network-security/block-all-inbound-allow-outbound/m-p/1924583#M437633 <HTML><HEAD></HEAD><BODY><P>Thanks again, this community is so supportive, full of people like you who really want to help and educate.</P><P></P><P>Sent from Cisco Technical Support iPad App</P></BODY></HTML> Sun, 06 May 2012 05:26:48 GMT https://community.cisco.com/t5/network-security/block-all-inbound-allow-outbound/m-p/1924583#M437633 mattlager 2012-05-06T05:26:48Z https://community.cisco.com/t5/network-security/block-all-inbound-allow-outbound/m-p/1924584#M437634 <P>Hi !</P> <P>Is there any way to archive this WITHOUT using ip inspect and use ONLY access-lists ? I mean to block all inbound traffic but allow all outgoing.</P> <P>Thanks.</P> Mon, 25 Apr 2016 17:13:43 GMT https://community.cisco.com/t5/network-security/block-all-inbound-allow-outbound/m-p/1924584#M437634 momentousltd 2016-04-25T17:13:43Z https://community.cisco.com/t5/network-security/block-all-inbound-allow-outbound/m-p/1924585#M437635 <P>It can be done, however only with TCP traffic, using the "established" keyword.&nbsp;</P> <P></P> Mon, 25 Apr 2016 17:20:28 GMT https://community.cisco.com/t5/network-security/block-all-inbound-allow-outbound/m-p/1924585#M437635 Maykol Rojas 2016-04-25T17:20:28Z https://community.cisco.com/t5/network-security/block-all-inbound-allow-outbound/m-p/1924586#M437636 <P>I also just found the solution of reflexive access list !</P> <P></P> <P><A href="https://supportforums.cisco.com/document/84441/reflexive-access-list-ios">https://supportforums.cisco.com/document/84441/reflexive-access-list-ios</A></P> Mon, 25 Apr 2016 17:46:58 GMT https://community.cisco.com/t5/network-security/block-all-inbound-allow-outbound/m-p/1924586#M437636 momentousltd 2016-04-25T17:46:58Z