Re: access lists for internet traffic

carl_townshend · ‎04-21-2006

Can anyone tell me what is the standard for access lists for blocking internet traffic on a router, Do people just have a list just permitting anything outbound and port 80 inbound ? is this right, or do people use CBAC instead ?

thanks

Harold Ritter · ‎04-21-2006

Carl,

There is probably as many options as there is people on this list. CBAC or any other form of FW is highly recommended if we are talking about a corporate network.

ACL is not an alternative to a FW solution bu rather a complement.

Hope this helps,

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

l.mourits · ‎04-21-2006

Carl,

For small networks ACL with established keyword in combination with NAT overload might be sufficient. But I fully agree with the previous reply that it is not the best solution....

Kind regards,

Leo

carl_townshend · ‎04-21-2006

Ok say for example I just have a 1700 in my office for the internet connection, if I am using CBAC do I really need an acl in place, Can anyone show me a quick config for there CBAC config ?

gwhuang5398 · ‎04-21-2006

Hi Carl:

As in the previous replies, ACLs are normally used to control routing rather than to implementing your company's policies, which are normally enforced by using firewall or proxy.

You can use ACL to do this, but you will have to have numerous permit or deny for ports, protocols, source addresses, destination addresses, etc. You can define all that rather easily in a firewall.

Hope this helps

Gary

carl_townshend · ‎04-21-2006

Is CBAC a firewall ? can you give me an example config and what each command means ?

thanks

l.mourits · ‎04-21-2006

Carl,

IMHO the answer is no, although not everyone will agree with me. The main difference between regular ACLs and CBAC is that CBAC can inspect up to the application layer, and will statefull inspect for the configured protocols, but it is definately not a impenetratable firewall solution. Check this link for more info on CBAC:

http://www.cisco.com/en/US/customer/products/sw/iosswrel/ps1826/products_feature_guide09186a0080080f4d.html#xtocid13

In case you want to settle for CBAC here are two good link that include CBAC with NAT configuration.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a008009445f.shtml

http://www.ciscotaccc.com/kaidara-advisor/iprout/showcase?case=K10490006

This should get you going :-)

Kind regards,

Leo

Please help improving the netpro forum and rate helpfull info

Patrick Laidlaw · ‎04-21-2006

Carl,

I was just reviewing your profile do you realize you have 846 posts asking for help with out rating a single persons reply.

Are you just not grateful to the people that provide you with answeres to your questions or just to lazy to rate posts.

Patrick

l.mourits · ‎04-21-2006

Patrick,

I do believe you are jumping conclusions...

Although you can view the number of posts of any particular user, there is no way (unless you are an administrator of course (which I don't think you are)) that you can view the number of ratings somebody provides to others by just viewing that user's profile, although you can see the number and level one received on the user's post. In fact, I don't believe that one could see who rated who at all in the current setup of the forum.

Had to correct you here, no offense mate ;-)

Leo