cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
8459
Views
5
Helpful
27
Replies
julijan.klancnik
Beginner

ACL on Cisco router - Block traffic from outside, allow all from inside

Hello,

I am trying to create ACL on Cisco router which will allow all traffic from inside to internet and only allow specific traffic from internet to inside.

This is what I've configured and puted on  Router's interface connected to ISP:

    10 permit icmp any any (411 matches)
    20 permit tcp "my public IP" any eq 3389 (46400 matches)
    30 permit tcp "my public IP" any eq 22 (9185 matches)
    40 permit ip "my public IP" any (3207 matches)
    50 permit tcp any any eq smtp (11 matches)
    60 permit tcp any any eq www (56 matches)
    70 permit tcp any any eq 443 (29 matches)
    80 permit tcp any any eq domain (5 matches)
    81 permit udp any any eq domain (7 matches)
    82 permit udp any eq domain any (10564 matches)
    83 permit tcp any eq domain any (10 matches)
    90 permit udp any any eq ntp (13317 matches)
    95 permit tcp 192.168.0.0 0.0.0.255 any
Interface Dialer 1
ip Access-group 101 IN

So I can connect from my public IP to Customer's LAN via RDP and SSH (which is o.k.), but Customer's users can not Access Internet (which is not o.k.)!

Users are all in the same Vlan. Between Vlan interface and Outside interface (dialer 1) is PAT.

There are no other ALC on the router exept the one for PAT.

What am I missing here?

Thanks.

27 REPLIES 27

Great, thank you mate!

I would remove the access-group from dialer1; you will not be exposing the inside unnecessarily.

I wouldn't do it that way. There should always be a restrictive ACL configured.

First, NAT is not meant to protect the internal network. Although a good NAT implementation can help, it's the wrong tool for the right job. That is the job of a firewall. (You could also hammer a nail into the wall with an electric drill, but it's better to use the tool that was designed for the needed task).

And without an ACL you still expose the router itself to the outside world with all potential vulnerabilities. Again, the restrictive ACL makes sure to only expose the services you need.

Karsten Iwen
VIP Mentor

What kind of router do you have? If you can run a firewall feature set, it would make the configuration much easier.

If supported, you could use the following config:

ip inspect name FW ftp
ip inspect name FW dns
ip inspect name FW icmp router-traffic
ip inspect name FW tcp router-traffic
ip inspect name FW udp router-traffic
ip access-list ext OUTSIDE-IN
deny ip any any
interface dialer 1
ip inspect FW out
ip access-group OUTSIDE-IN in

This config looks at (inspects) all traffic leaving to the ISP and automatically allows the return traffic. All other traffic is blocked.

Hello Karsten,

I also need to allow RDP, SSH from outside (from my company) to Customer's LAN.

Can I adjust ACL Outside-in like this:

ip access-list ext OUTSIDE-IN

permit tcp "my public IP" any eq 3389
permit tcp "my public IP" any eq 22

deny ip any any

Thnx, J

yes, you add all additionally needed service above the deny-rule. But typically you would also need a static translation which you don't have? I wonder why it was working ...

o.k.

If you are talking about NAT, I do have configuration for that.

J

ok, just thought that the below mentioned NAT-config was all that you have.

I have some static NAT statements for RDP.... just didn't post them...

I Will try with your suggestion, probablly I Will wait for replay from Seb (below) if he will have any other idea.

For sure, I will post the result.

Thank you,

J

Hello,

this is what I've configured:

ip inspect name FW dns
ip inspect name FW icmp router-traffic
ip inspect name FW tcp router-traffic
ip inspect name FW udp router-traffic

I've create ACL:

access-list 101 permit icmp any any
access-list 101 permit tcp "my public IP" any eq 3389
access-list 101 permit tcp "my public IP" any eq 22
access-list 101 permit udp any any eq ntp
access-list 101 deny   ip any any

And configured Dialer 1:

ip access-group 101 in

ip inspect FW out

That's it. It is working.  And I probably do not need  "permit udp any any eq ntp" in ACL, because in FW rule is  "ip inspect name FW udp router-traffic" ?

J

And I probably do not need  "permit udp any any eq ntp" in ACL, because in FW rule is  "ip inspect name FW udp router-traffic" ?

If this rule is meant to let NTP-answers back to the router, then yes, the inspection will take care of that.

I am not sure I get it right.  I use public NTP servers and my router is syncing with them. So do I need :

access-list 101 permit udp any any eq ntp

or not?

Thanks,

No, you don't need that line. The NTP-request is sent out and gets inspected by the router. The NTP-answer matches a "state-entry" that the router has build by the inspection. Based on this state-entry the NTP-answer is allowed. The ACL is only used when new connections arrive at the public interface, that is the incoming SSH and RDP in your case.

View solution in original post

Thanks, I understand.

Your advices were (are) really Helpfull.

J

Content for Community-Ad