Re: Block all inbound, allow outbound?

mattlager · ‎05-05-2012

I've got a simple NAT router. Fa0/0 is outside and Fa0/1 is inside. Inside network is 172.16.1.0/24. Outside network is a single dynamic public IP assigned from the ISP. I'm trying to implement a "Deny by Default" rule set that denies all inbound traffic but allows all outbound traffic, but I can't seem to figure it out. I thought doing something like the following would work but it disables the Internet:

access-list 101 deny tcp any any

access-list 101 deny up any any

Then apply it as "in" on Fa0/0.

Any advice would be great!

Sent from Cisco Technical Support iPad App

Maykol Rojas · ‎05-05-2012

Hi,

It is not going to work. Basically replies are also tcp packets that are going to be potentially be denied by this rule. How to overcome this issue? Make it stateful, meaning, established sessions from the inside, their return packets are going to be allowed, however, sessions that were not initiated on the inside network rather than being accessed from the outside, they are going to be denied.

Apply this

ip inspect name FW tcp

ip inspect name FW udp

ip inspect name FW icmp

access-list 101 deny ip any any

int fa 0/0

ip inspect FW out

ip access-group 101 in

Let me know how it goes.

Mike

mattlager · ‎05-05-2012

Wow awesome that makes sense... I'll go give it a shot!

Sent from Cisco Technical Support iPad App

mattlager · ‎05-05-2012

Nice that worked well... Any reason I wouldn't do:

ip inspect name FW ip

access-list 101 deny ip any any

int Fa0/0

ip inspect FW out

ip access-group 101 in

Just curious. Thanks so much for your help, didn't know about that inspect function.

Sent from Cisco Technical Support iPad App

mattlager · ‎05-05-2012

I bet your going to say because only tcp, udp, and icmp can be stateful, just a guess this isn't what I'm an expert in

Sent from Cisco Technical Support iPad App

momentousltd · ‎04-25-2016

Hi !

Is there any way to archive this WITHOUT using ip inspect and use ONLY access-lists ? I mean to block all inbound traffic but allow all outgoing.

Thanks.

Maykol Rojas · ‎05-05-2012

Well basically because there is no general IP inspection. You see, inspection work checking different information under the layer 3/4 in order to keep track of a session. For example in UDP and tcp you grab the Source IP and destination IP plus source and destination ports, with ICMP you grab the same, source IP destination IP and the code (Echo, echo reply and such)

If there was such thing like inspect IP, it would only grab source and destination ip address no matter if the packets belong to a valid session or not. What Cisco wanted to do is just to keep real and good track of each session to avoid attacks.

Kinda deep, if you want to check more about inspections, whenever you have time, you can take quick look on the following:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml

Glad I could help a bit.

Mike

Maykol Rojas · ‎05-05-2012

Nahh, its alright... first time I saw it it took me several sleepless nights just to understand it... been there donde that....

Mike

mattlager · ‎05-05-2012

Thanks again, this community is so supportive, full of people like you who really want to help and educate.

Sent from Cisco Technical Support iPad App

Maykol Rojas · ‎04-25-2016

It can be done, however only with TCP traffic, using the "established" keyword.

Mike

momentousltd · ‎04-25-2016

I also just found the solution of reflexive access list !

https://supportforums.cisco.com/document/84441/reflexive-access-list-ios