topic Re: ACL issue with Router 2801 in Network Security

ACL issue with Router 2801

imranraheel — Mon, 11 Mar 2019 19:00:30 GMT

I have to implement an ACL on my router and have to block all the incoming access except some protocols.

Sample ACL is listed below

permit tcp any 29.165.175.0 0.0.0.255 eq 443

permit tcp any 29.165.175.0 0.0.0.255 eq 9000

permit icmp any any echo-reply

deny ip any any

The ACLs will be applied on “in” of the “outside interface”.

I just want to know whould it block the inbound request generated in return of the traffic which will be generated from inside, like if I browse cisco.com, would the request be blocked when the website contants try to come in from outside.

Do i have to use established statement or reflex access list.

Let me know please

Thanks in Advance

Re: ACL issue with Router 2801

Panos Kampanakis — Tue, 26 Oct 2010 15:24:27 GMT

Yes, return traffic will be blocked. I would suggest using inspect outbound in order to allow return traffic that is in response to an outbound connection (reflexive ACLs used to do it but they are deprecated now).

Here is a sample:

ip inspect name FW tcp

ip inspect name FW dns

ip inspect name FW

interface eth0/1

description Outside

ip inspect FW out

ip access-group xxx in

I hope it helps.

Re: ACL issue with Router 2801

Jitendriya Athavale — Tue, 26 Oct 2010 15:27:33 GMT

if you are ok with it you can enable a bsic firewall

on the router thus making it stateful, this will work

use the following

ip inspect name fw dns

ip inspect name fw tcp

ip inspect name fw udp

ip inspect name fw icmp

and apply tihs on the outsid einterface in outbound

int fa0

ip inspect fw out

ip access-group 100 in

whr acl 100 wiull haev permt for out to in connections and deny for rest

this way you will make your router stateful and secure in to out return traffic is permitted

Re: ACL issue with Router 2801

imranraheel — Tue, 26 Oct 2010 15:29:42 GMT

thanks its every helpful

Re: ACL issue with Router 2801

imranraheel — Tue, 26 Oct 2010 15:30:02 GMT

Thanks it make scence

Re: ACL issue with Router 2801

imranraheel — Tue, 26 Oct 2010 15:32:37 GMT

What about Active and Passive FTP

Re: ACL issue with Router 2801

Jitendriya Athavale — Tue, 26 Oct 2010 15:36:46 GMT

inspect ftp but agian depends

where exactly your server is whether inside or outside

Re: ACL issue with Router 2801

Panos Kampanakis — Tue, 26 Oct 2010 15:37:15 GMT

You can add

ip inspect name FW ftp

Please mark this as answered if it is, for the benefit of others.

Re: ACL issue with Router 2801

Jitendriya Athavale — Tue, 26 Oct 2010 15:37:41 GMT

make sure the more specific one like dns,ftp,http etc come first then comes the more generic one's like tcp and udp

Re: ACL issue with Router 2801

imranraheel — Tue, 26 Oct 2010 17:02:04 GMT

Just to be specific

ip inspect name FW rule is for all the inbound traffic which is generated in response of the outbound access.

Re: ACL issue with Router 2801

Panos Kampanakis — Tue, 26 Oct 2010 17:07:45 GMT

Correct, it practically opens pinholes to the ACL that is applied inbound to the outside interface for the return traffic of inside initiated connections.

The inspection would need to be applied outbound of course.

Let us know if it solved it.

Re: ACL issue with Router 2801

imranraheel — Tue, 26 Oct 2010 17:12:31 GMT

Also we have some custom made apps which normally access few machines outside of our n

etwork and receives response on multiple ports. How can i allow that access from getting

blocked.

Thanks

Re: ACL issue with Router 2801

Maykol Rojas — Tue, 26 Oct 2010 17:45:10 GMT

Hello,

You would need only to allow them on the ACL applied on the outside interface. If the application uses UDP or TCP as transport protocol, they will be allowed back and forth with the Inspect FW.

Cheers,.

Mike