Re: ACL issue with Router 2801

imranraheel · ‎10-26-2010

I have to implement an ACL on my router and have to block all the incoming access except some protocols.

Sample ACL is listed below

permit tcp any 29.165.175.0 0.0.0.255 eq 443

permit tcp any 29.165.175.0 0.0.0.255 eq 9000

permit icmp any any echo-reply

deny ip any any

The ACLs will be applied on “in” of the “outside interface”.

I just want to know whould it block the inbound request generated in return of the traffic which will be generated from inside, like if I browse cisco.com, would the request be blocked when the website contants try to come in from outside.

Do i have to use established statement or reflex access list.

Let me know please

Thanks in Advance

Panos Kampanakis · ‎10-26-2010

Yes, return traffic will be blocked. I would suggest using inspect outbound in order to allow return traffic that is in response to an outbound connection (reflexive ACLs used to do it but they are deprecated now).

Here is a sample:

ip inspect name FW tcp

ip inspect name FW dns

ip inspect name FW

interface eth0/1

description Outside

ip inspect FW out

ip access-group xxx in

I hope it helps.

PK

imranraheel · ‎10-26-2010

Thanks it make scence

Jitendriya Athavale · ‎10-26-2010

if you are ok with it you can enable a bsic firewall

on the router thus making it stateful, this will work

use the following

ip inspect name fw dns

ip inspect name fw tcp

ip inspect name fw udp

ip inspect name fw icmp

and apply tihs on the outsid einterface in outbound

int fa0

ip inspect fw out

ip access-group 100 in

whr acl 100 wiull haev permt for out to in connections and deny for rest

this way you will make your router stateful and secure in to out return traffic is permitted

imranraheel · ‎10-26-2010

thanks its every helpful

imranraheel · ‎10-26-2010

What about Active and Passive FTP

Jitendriya Athavale · ‎10-26-2010

inspect ftp but agian depends

where exactly your server is whether inside or outside

Jitendriya Athavale · ‎10-26-2010

make sure the more specific one like dns,ftp,http etc come first then comes the more generic one's like tcp and udp

Panos Kampanakis · ‎10-26-2010

You can add

ip inspect name FW ftp

Please mark this as answered if it is, for the benefit of others.

PK

imranraheel · ‎10-26-2010

Just to be specific

ip inspect name FW rule is for all the inbound traffic which is generated in response of the outbound access.

Panos Kampanakis · ‎10-26-2010

Correct, it practically opens pinholes to the ACL that is applied inbound to the outside interface for the return traffic of inside initiated connections.

The inspection would need to be applied outbound of course.

Let us know if it solved it.

PK

imranraheel · ‎10-26-2010

Also we have some custom made apps which normally access few machines outside of our n

etwork and receives response on multiple ports. How can i allow that access from getting

blocked.

Thanks

Maykol Rojas · ‎10-26-2010

Hello,

You would need only to allow them on the ACL applied on the outside interface. If the application uses UDP or TCP as transport protocol, they will be allowed back and forth with the Inspect FW.

Cheers,.

Mike