Solved: Block complete traffic from outside, allow all from inside

asaxena · ‎08-04-2021

Hi,

We want to implement a security on router and want to block all incoming traffic to router (from outside) but want to allow all traffic from inside.

Please let us know how can we do this. Please let me know if need any more info.

Thanks,

Amit

asaxena · ‎08-07-2021

Hi,

Thanks everyone for your support and help. I also tried few options and blocked few port (for now) by using below commands and that worked perfectly fine.

Router#Config t
(config)#ip access-list extended 100
(config)#deny tcp any host 110.72.31.17 eq 443,
(config)#deny tcp any host 110.72.31.17 eq 80
(config)#deny tcp any host 110.72.31.17 eq 123
(config)#permit ip any any
(config)#interface gigabitEthernet 0/0
(config-if)#ip access-group 100 in
(config-if)#interface gigabitEthernet 0/1
(config-if)#ip access-group 100 in

This blocked incoming traffic (from mentioned 3 ports-443, 80, 123) to our network from outside world ( for the given ports). You can also add other ports if needed.

Thanks,

AmitS

View solution in original post

Rob Ingram · ‎08-04-2021

@asaxena

As you are using a cisco router, consider using Zone Based Firewall (ZBFW). You can configure this to be a stateful firewall, permit all outbound traffic (and return traffic) and deny an inbound traffic.

Example:-

https://community.cisco.com/t5/security-documents/ios-zone-based-firewall-step-by-step-basic-configuration/ta-p/3142774

asaxena · ‎08-04-2021

Yes, we are using CISCO router but i do know about Zone based firewall. What is advantage ZBF over ACL?

Thanks,

Amit S

asaxena · ‎08-05-2021

Rob- Thanks for a great writeup but we just want to implement without Zone and we are looking for very basic solution with the help of ACL.

If you can provide ACL based solution that will be great help.

Thanks,

Amine ZAKARIA · ‎08-05-2021

Check the ACL's provided below

balaji.bandi · ‎08-04-2021

There are some question need to address, but in generic ACL i have posted the examples:

1. what is this device

2. what IOS code running

3. is this device do NAT ?

4. what part of the network is this ( connected directly internet ?)

https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

asaxena · ‎08-04-2021

This is CISCO router and here is the info -

Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.4(3)M3, RELEASE SOFTWARE (fc2)

It does not have NAT

Mux is connected to router and router is connected to Managed Switch (WLAN) whereas one WLAN is connected to Firewall (Juniper). We have defined CISCO public IP for Next Hop.

Please let me know if you need any other info.

Thanks,

balaji.bandi · ‎08-04-2021

then you can use above example document to build ACL , what you like to block based on the information of your IP address

example :

access-list 10 permit 192.168.1.0 0.0.0.255   <-- exmaple this will allow only 192.168.1.X network going out.
(config)#interface  gig  0/0
(config-if)#ip access-group 10 in

Like you can build list.

You need to be bit cautious when you building from out to in

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Amine ZAKARIA · ‎08-04-2021

Hello,

If you want to implement it using the traditional ACL then:
PS:(I highly recommend you to always use ip access-list instead of access-list)

ip access-list extended In_to_Out
permit ip 10.99.0.0 0.0.0.255 any
exit

ip access-list extended Out_to_In
permit tcp any lt 1023 10.99.0.0 0.0.0.255 gt 1023
permit udp any lt 1023 10.99.0.0 0.0.0.255 gt 1023
permit icmp any 10.99.0.0 0.0.0.255 echo-reply

Interface Giga0/1

description VDC-INSIDE
ip access-group In_to_Out in

Interface Giga0/5

description VDC-OUTSIDE
ip access-group Out_to_In in

The reason why i added lt 1023 and gt 1023 because the ports <1023 (Well-known ports) Used by the applications (like https, ssh, dns, etc) and the >1023 (Ephemeral ports) Used by the clients to connect to the applications.

If you can implement Zone Based Firewall it will save you the burden of opening the return traffic because it inspect the traffic unlike the traditional ACL's.

Also outside acl will open only TCP,UDP,ICMP if you need any other IP Protocol you can add it there.

Hope that helps.

asaxena · ‎08-05-2021

Thanks all, i will try suggested options and will let you know what worked or if i need any help.

asaxena · ‎08-07-2021

Hi,

Thanks everyone for your support and help. I also tried few options and blocked few port (for now) by using below commands and that worked perfectly fine.

Router#Config t
(config)#ip access-list extended 100
(config)#deny tcp any host 110.72.31.17 eq 443,
(config)#deny tcp any host 110.72.31.17 eq 80
(config)#deny tcp any host 110.72.31.17 eq 123
(config)#permit ip any any
(config)#interface gigabitEthernet 0/0
(config-if)#ip access-group 100 in
(config-if)#interface gigabitEthernet 0/1
(config-if)#ip access-group 100 in

This blocked incoming traffic (from mentioned 3 ports-443, 80, 123) to our network from outside world ( for the given ports). You can also add other ports if needed.

Thanks,

AmitS

balaji.bandi · ‎08-07-2021

Glad all working, our suggestion is helpful to resolve the issue, we mark this as resolved now.

Thank you for sharing the working solution this will help other community users who looking the same solution.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Amine ZAKARIA · ‎08-07-2021

Hello,

Please make sure to edit your reply and hide your public ip with a fake one.

Don't forget to mark as solved to the replies that helped you, so the others can benefit.

asaxena · ‎08-08-2021

Hi,

Thanks for suggesting. This public IP is fake.

Sure, i will mark as solve and waiting for scan result. Once results are as per expectation, i will mark it solved.

Thank,

AmitS