Limiting to more specific

whartigan1 · ‎02-20-2016

Hi All,

Recently passed CCNA and starting to look into CCNA security topics. I have a 1811 router I just set up as my NAT gateway. I've configured a implicit deny ACL for all inbound traffic from the internet and IP Inspect for tcp, udp, icmp originating from my network.

From what Im testing so far this seems to work pretty well for home based internet traffic, I've yet to see anything blocked that I initiate. Is anyone able to point me to a reference for what additional functionality exists if I specific on a per protocol basis? For instance I see all sorts of other options with ip inspect like ftp, http, citricmaclient, etc, but I'm not sure if theres any added benefit to listing them specifically as apposed to the blanket statements I made.

Marius Gunnerud · ‎02-20-2016

Limiting to more specific ports can be done if you want your users to only be allowed to, for example, go to http and https, but not ftp. But more often than not, all traffic that is generated from the local LAN is permitted.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

whartigan1 · ‎02-20-2016

Thank you for the response.

Are there any scenarios where it is required to have specific protocols added? I was reading with FTP there are instances it won't work correctly without listing it explicitly. For everyday internet usage I want to make sure I have my ground covered.

Marius Gunnerud · ‎02-21-2016

Yes, FTP has seperate streams of traffic for request and reply so without any extra configuration the reply traffic will be denied. Basically any traffic that has separate data streams for request and reply.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

IP Inspect Protocols (Beginner)