cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
872
Views
0
Helpful
12
Replies

ACL issue with Router 2801

imranraheel
Level 1
Level 1

I have to implement an ACL on my router and have to block all the incoming access except some protocols.

Sample ACL is listed below

permit tcp any 29.165.175.0 0.0.0.255 eq 443

permit tcp any 29.165.175.0 0.0.0.255 eq 9000

permit icmp any any echo-reply

deny ip any any

The ACLs will be applied on “in” of the “outside interface”.

I just want to know whould it block the inbound request generated in return of the traffic which will be generated from inside, like if I browse cisco.com, would the request be blocked when the website contants try to come in from outside.

Do i have to use established statement or reflex access list.

Let me know please

Thanks in Advance

12 Replies 12

Panos Kampanakis
Cisco Employee
Cisco Employee

Yes, return traffic will be blocked. I would suggest using inspect outbound in order to allow return traffic that is in response to an outbound connection (reflexive ACLs used to do it but they are deprecated now).

Here is a sample:

ip inspect name FW tcp

ip inspect name FW tcp

ip inspect name FW dns

ip inspect name FW

interface eth0/1

  description Outside

  ip inspect FW out

  ip access-group xxx in

I hope it helps.

PK

Thanks it make scence

Jitendriya Athavale
Cisco Employee
Cisco Employee

if you are ok with it you can enable a bsic firewall

on the router thus making it stateful, this will work

use the following

ip inspect name fw dns

ip inspect name fw tcp

ip inspect name fw udp

ip inspect name fw icmp

and apply tihs on the outsid einterface in outbound

int fa0

ip inspect fw out

ip access-group 100 in

whr acl 100 wiull haev permt for out to in connections and deny for rest

this way you will make your router stateful and secure in to out return traffic is permitted

thanks its every helpful

What about Active and Passive FTP

inspect ftp but agian depends

where exactly your server is whether inside or outside

make sure the more specific one like dns,ftp,http etc come first then comes the more generic one's like tcp and udp

You can add

ip inspect name FW ftp

Please mark this as answered if it is, for the benefit of others.

PK

Just to be specific

ip inspect name FW          rule is for all the inbound traffic which is generated in response of the outbound access.

Correct, it practically opens pinholes to the ACL that is applied inbound to the outside interface for the return traffic of inside initiated connections.

The inspection would need to be applied outbound of course.

Let us know if it solved it.

PK

Also we have some custom made apps which normally access few machines outside of our n

etwork and receives response on multiple ports. How can i allow that access from getting

blocked.

Thanks

Hello,

You would need only to allow them on the ACL applied on the outside interface. If the application uses UDP or TCP as transport protocol, they will be allowed back and forth with the Inspect FW.

Cheers,.

Mike

Mike
Review Cisco Networking for a $25 gift card