Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3134
Views
3
Helpful
5
Replies

ACL in-out question

Go to solution
DragonFist
Level 1
Level 1

‎10-13-2012 02:48 PM - edited ‎03-04-2019 05:50 PM

I'm new in Cisco. I want to allow all outgoing traffic and deny all untrusted incoming traffic using ACL (laptop represents untrusted network). I used OSPF routing protocol. What should I do in this scenario ? Thank you.

Labels:
136731-project1.pkt.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Kukreja
Level 1
Level 1

‎10-14-2012 06:42 AM

Routing should not be a concern over here. 

Following are the multiple ways you could acheive this :

1. Use Extended ACL with the established keyword.

- This will not permit the traffic if your laptop initiates a session

- But this will permit the traffic if your laptop sends the reply for the request.

- Cons - Applicable only for TCP traffic as it is connection oriented.

Check this URL for syntax -

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtipofil.html#wp1055065

2. Use Reflexive ACL :

http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfreflx.html#wp1001187

3. Use ZBF (zone based Firewall)

- HTH

Rahul

View solution in original post

0 Helpful
5 Replies 5

Go to solution
AhmedSonba
Level 1
Level 1

‎10-13-2012 03:20 PM

Hello Anil,

I am not sure if I got you right or not , but I have checked you access list that you have done and made the following

changes

access-list 101 permit ip 10.10.10.0 0.0.0.255 any

access-list 101 permit ip 20.20.20.0 0.0.0.255 any

access-list 101 permit ip 30.30.30.0 0.0.0.255 any

access-list 101 deny ip any any

Can you tell  me what direction you want the traffic to be denied I mean from the Laptop to the rest of the network or from the rest of network to the laptop  ?

Also for more informaiton about how to configure ACLs please refer to the following link

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml

Hope it will help

Ahmed Sonba

Go to solution
ciscoamit_497
Level 1
Level 1
In response to AhmedSonba

‎10-14-2012 01:38 AM

Hi Anil,

I am unable to open ur pkt file..as it is not compatible with my packet tracer..

But on the behalf of ur question i can suggest you to below--

if ur outgoing trusted subnets are all 10, 20 and 30 subnets then this is the right way and put the access-list on lan portion (i dont know wat is that)---

access-list 101 permit ip 10.10.10.0 0.0.0.255 any

access-list 101 permit ip 20.20.20.0 0.0.0.255 any

access-list 101 permit ip 30.30.30.0 0.0.0.255 any

access-list 101 permit deny ip any any

put it as

ip access-group 101 out

ip access-group 101 in

So, in this way you can filter the trusted traffic only..

If u need more help then post you exact pic here and scenario...

Regards,

Amit

***Please rate helpful posts.************

Go to solution
DragonFist
Level 1
Level 1
In response to ciscoamit_497

‎10-14-2012 02:14 AM

         Hello,  

pkt1.jpg

    Here is my scenario:

  The left side of Router2 is my internal network. And the laptop represents the "internet". All the three networks on the left side should reach to the laptop (internet). But laptop shouldn't reach to my internal network. I used OSPF routing.

Thank you in advance

0 Helpful

Go to solution
Rahul Kukreja
Level 1
Level 1

‎10-14-2012 06:42 AM

Routing should not be a concern over here. 

Following are the multiple ways you could acheive this :

1. Use Extended ACL with the established keyword.

- This will not permit the traffic if your laptop initiates a session

- But this will permit the traffic if your laptop sends the reply for the request.

- Cons - Applicable only for TCP traffic as it is connection oriented.

Check this URL for syntax -

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtipofil.html#wp1055065

2. Use Reflexive ACL :

http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfreflx.html#wp1001187

3. Use ZBF (zone based Firewall)

- HTH

Rahul

0 Helpful

Go to solution
DragonFist
Level 1
Level 1
In response to Rahul Kukreja

‎10-14-2012 07:47 AM

Thank you very much.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card