12-16-2023 10:48 AM
I bought a C1111-8p router to set up a small lab at home and learn. I did not realize there was a separate security license. Since there is no firewall, if I setup a NAT ACL that only allows inside sources to outside interface and denies everything else, am I safe for now? I plan to get the security license eventually.
Solved! Go to Solution.
12-16-2023 10:54 AM
Sure that works for LAN Subnet go to Internet. if you do not want to allow anything from outside to inside.
basic internet with NAT using router :
12-16-2023 10:54 AM
Without FW it hard.
The TCP is only two way traffic (sure icmp also but icmp os only for test)
you try acl tcp with established keywords
And deny any udp and tcp traffic to pass from outside to inside
MHM
12-16-2023 10:54 AM
Sure that works for LAN Subnet go to Internet. if you do not want to allow anything from outside to inside.
basic internet with NAT using router :
12-16-2023 10:54 AM
Without FW it hard.
The TCP is only two way traffic (sure icmp also but icmp os only for test)
you try acl tcp with established keywords
And deny any udp and tcp traffic to pass from outside to inside
MHM
12-16-2023 10:59 AM
https://www.howtonetwork.com/ccna-security/access-control-lists-cisco-acl/
This link for this kind of ACL.
Note:- add deny any any log at end of your acl' this help you to know what traffic is deny by acl and the you can allow or dent traffic
Note:- try put line increment of acl 10 by 10' in case you want to retrun and add line between previous one you can do that
MHM
12-16-2023 11:16 AM
So I really just need the security license it sounds like. If I permit inside subnet to outside interface on my given subnets, but deny all else on the ACL, it will end up denying the packets returning and I will have no internet access basically right? And if I deny all tcp and udp specifically, it will be the same result right? Keywords seems like I would constantly have to be adding new ones to prevent limited access. Keep in mind I’m a beginner here lol, and thank you guys for being so helpful! Those articles above are a big help to me learning here on my own.
12-16-2023 11:23 AM
it will end up denying the packets returning and I will have no internet access basically right? Sorry Yes
That way we need established keywords to make retrun traffic allow only and if the traffic initiate from your Inside clinet.
For udp as I mention you need to add deny any any log and see if your acl deny any important udp traffic.
Goodluck
MHM
12-16-2023 08:01 PM
Apparently I have the license. In the gui, there is an option to change license level. I chose security k9, the router rebooted, and now I have threat defense and vpn. Is this a trial? The license status just show “in use.”
12-16-2023 10:47 PM
I Not sure 100% but since you activate it use it' when it expire (if it trial) then get new license.
MHM
12-17-2023 01:19 AM
Some License you can enable for trail and useit for testing, once they expiry the features stop working.
Its all depends on the requirement - base should able to do the work for you for connecting to internet.
Most ISP providers do have certain kind of attack prevention, as Long as you do not open any incoming flows or incoming port-forwarding, some kind of degree you are secured.
You can also enable Logging adding ACL on the Outside interface, that will show you what kind of traffic or attack establishing from outside to inside. (then based on that you can apply ACL) and remove log Option.
As Long as you are not listening any Service outside interface, and if you source it LAN interface that is ok.
all the packets established connection can not be dropped. from inside to outside.
You should have sensible ACL - on the outside interface to protect your device if this is exposing to Internet.
some guidance URL :
https://www.cisco.com/c/en/us/support/docs/ip/access-lists/44541-tacl.html
https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html
https://www.cisco.com/c/en/us/support/docs/ip/access-lists/43920-iacl.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide