Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1432
Views
0
Helpful
3
Replies

understand access list

liorbachar
Level 1
Level 1

‎01-18-2020 03:22 PM

hello to every one,

i want to create acess list that prevent the truffic from the internet to my organization.

i do it in the packet tracer .

 

!

!

ip access-list standard no-entry

deny any

!

and i doit on port g/0.10.

and the access list block the internet from outside to inside .but when i do ping from the organization to outside access list blocked it again and i want only from outside to inside.

 

someone can help me please.

blockPublicIp.png

Labels:
0 Helpful
3 Replies 3

Muhammad Awais Khan
Cisco Employee
Cisco Employee

‎01-18-2020 03:34 PM - edited ‎01-18-2020 03:40 PM

Hi,

 

 

In your scenario, with  ACL you configured of deny any any, your network from inside cannot access any thing to outside . The interface where you applied this ACL is going to block every thing, doesn't matter if the session is new or existing. To maintain the existing connections from inside to outside network and blocking any new session from outside to inside, you need to consider configuring Zone Base Firewall on your Router.

 

 Have a look on below steps mentioned to configure. In summary you will be creating zones like inside and outside on your Router and you will define policies to control the traffic between those interfaces zone

 

https://community.cisco.com/t5/security-documents/ios-zone-based-firewall-step-by-step-basic-configuration/ta-p/3142774

 

 

 

0 Helpful

alicoluk
Level 1
Level 1

‎01-19-2020 08:11 AM

Because you written a ACL that denys all, you will no able to send ICMP packets from outside. But if you try to send any ICMP packet from inside, like ICMP request packet, you can do that. The firewall that you are using is a stateful firewall, so you configure the firewall to behave ICMP traffic as sessions also. 

#fixup protocol ICMP

This command above enable you to 

0 Helpful

alicoluk
Level 1
Level 1
In response to alicoluk

‎01-19-2020 08:15 AM

Because you have written an ACL that denies all, you will no able to send ICMP packets from outside. But if you try to send any ICMP packet from inside, like the ICMP request packet, you can do that. The firewall that you are using is a stateful firewall, so you configure the firewall to behave ICMP traffic as sessions also. 

#fixup protocol ICMP

This command above enables you to threaten ICMP packets as sessions and when an ICMP reply hits your firewall, it will not be denied. Finally, you also need to apply an ACL after you write this command. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card