10-13-2012 02:48 PM - edited 03-04-2019 05:50 PM
I'm new in Cisco. I want to allow all outgoing traffic and deny all untrusted incoming traffic using ACL (laptop represents untrusted network). I used OSPF routing protocol. What should I do in this scenario ? Thank you.
Solved! Go to Solution.
10-14-2012 06:42 AM
Routing should not be a concern over here.
Following are the multiple ways you could acheive this :
1. Use Extended ACL with the established keyword.
- This will not permit the traffic if your laptop initiates a session
- But this will permit the traffic if your laptop sends the reply for the request.
- Cons - Applicable only for TCP traffic as it is connection oriented.
Check this URL for syntax -
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtipofil.html#wp1055065
2. Use Reflexive ACL :
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfreflx.html#wp1001187
3. Use ZBF (zone based Firewall)
- HTH
Rahul
10-13-2012 03:20 PM
Hello Anil,
I am not sure if I got you right or not , but I have checked you access list that you have done and made the following
changes
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
access-list 101 permit ip 20.20.20.0 0.0.0.255 any
access-list 101 permit ip 30.30.30.0 0.0.0.255 any
access-list 101 deny ip any any
Can you tell me what direction you want the traffic to be denied I mean from the Laptop to the rest of the network or from the rest of network to the laptop ?
Also for more informaiton about how to configure ACLs please refer to the following link
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml
Hope it will help
Ahmed Sonba
10-14-2012 01:38 AM
Hi Anil,
I am unable to open ur pkt file..as it is not compatible with my packet tracer..
But on the behalf of ur question i can suggest you to below--
if ur outgoing trusted subnets are all 10, 20 and 30 subnets then this is the right way and put the access-list on lan portion (i dont know wat is that)---
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
access-list 101 permit ip 20.20.20.0 0.0.0.255 any
access-list 101 permit ip 30.30.30.0 0.0.0.255 any
access-list 101 permit deny ip any any
put it as
ip access-group 101 out
ip access-group 101 in
So, in this way you can filter the trusted traffic only..
If u need more help then post you exact pic here and scenario...
Regards,
Amit
***Please rate helpful posts.************
10-14-2012 02:14 AM
Hello,
Here is my scenario:
The left side of Router2 is my internal network. And the laptop represents the "internet". All the three networks on the left side should reach to the laptop (internet). But laptop shouldn't reach to my internal network. I used OSPF routing.
Thank you in advance
10-14-2012 06:42 AM
Routing should not be a concern over here.
Following are the multiple ways you could acheive this :
1. Use Extended ACL with the established keyword.
- This will not permit the traffic if your laptop initiates a session
- But this will permit the traffic if your laptop sends the reply for the request.
- Cons - Applicable only for TCP traffic as it is connection oriented.
Check this URL for syntax -
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtipofil.html#wp1055065
2. Use Reflexive ACL :
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfreflx.html#wp1001187
3. Use ZBF (zone based Firewall)
- HTH
Rahul
10-14-2012 07:47 AM
Thank you very much.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide