cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
212
Views
0
Helpful
11
Replies

CISCO ROUTER AS STATELES FIREWALL

cigalahgroup
Level 1
Level 1

Hello,

     I am new in the security and learning about the state full and stateless firewalls. I understand that with stateful firewalls, any outbound traffic is generally whitelisted so it can return by default since the firewall is aware of the state of a connection. 

I want to use a cisco router with the ACL to provide internet connection to the users in my lab and I am also aware that this can be done using NAT.

Is it possible to use the ACL only without NAT to provide internet connection to the users ?

 

1 Accepted Solution

Accepted Solutions

Hello @cigalahgroup 

To set up a stateless firewall using ACL on ruter, you can configure ACL to filter traffic between your internal LAN and the Internet. Unlike stateful firewalls, which dynamically track connection states and allow return traffic automatically, stateless firewalls require explicit rules to permit both outbound and return traffic.

To allow traffic from your internal network (192.168.1.0/24) to the Internet, you need to define an ACL that permits this traffic. This rule will allow devices on your LAN to initiate connections to external destinations. For example, you can allow all traffic from your LAN by matching the source IP address range (192.168.1.0/24) and specifying the outbound interface. If you want more granular control, you can restrict the ACL to allow only specific protocols (e.g., HTTP, HTTPS, or DNS) by specifying their port numbers.

Since ACLs are stateless, return traffic from the Internet must also be explicitly allowed. You need to create an ACL that permits traffic destined for your internal network (e.g., traffic with a destination IP of 192.168.1.10) and matches the ports and protocols of the previously initiated outbound connections. For example, if a user browses a website, the router needs to allow the return traffic from the website’s server to the user’s device.

ACLs should be applied to the router interfaces in the appropriate direction. For outbound traffic, apply the ACL on the LAN interface (FastEthernet0/1) in the in direction or on the WAN interface (FastEthernet0/0) in the out direction. For inbound traffic, apply the ACL on the WAN interface in the in direction. Ensure that the ACL rules are ordered correctly, as ACLs are processed sequentially... and the first matching rule will determine whether the traffic is allowed or denied !!!

---

Here’s an example: 

! Define ACL for outbound traffic from LAN to Internet
access-list 100 permit ip 192.168.1.0 0.0.0.255 any

! Define ACL for inbound traffic from Internet to LAN
access-list 101 permit udp any eq 53 192.168.1.0 0.0.0.255 eq 53
access-list 101 permit tcp any eq 80 192.168.1.0 0.0.0.255 gt 1023
access-list 101 permit tcp any eq 443 192.168.1.0 0.0.0.255 gt 1023

! Apply ACLs to the appropriate interfaces
interface FastEthernet0/0
 ip access-group 101 in  ! Inbound from Internet
!
interface FastEthernet0/1
 ip access-group 100 in  ! Outbound from LAN

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

11 Replies 11

no way you need NAT

NAT make private IP translate into public IP which is routable in internet.

Private ip is not routable 

MHM

Thanks now the question is

 

If I create this configuration

interface FastEthernet0/0
ip address 20.20.20.1 255.255.255.0
ip nat outside
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
access-list 1 permit 192.168.1.0 0.0.0.255
ip nat inside source list 1 interface FastEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 20.20.20.2

The above configuration will work correctly

My Questions is if a client 192.168.1.10 initiates a connection to google.com  THE traffic is NATTED and goes to the internet and comes back to the same address 192.168.1.10 as nat table has the information.

I need to create a stateless Firewall setup for POC, can you please let me know a configuration ?

 

 

the config is correct 

For router to be as firewall there are two choices 

1- run zone firewall in router' 

Check if your router support 

Zone secuirty command 

2- using ACL <<- this have some limitations 

MHM

Hello @cigalahgroup 

To set up a stateless firewall using ACL on ruter, you can configure ACL to filter traffic between your internal LAN and the Internet. Unlike stateful firewalls, which dynamically track connection states and allow return traffic automatically, stateless firewalls require explicit rules to permit both outbound and return traffic.

To allow traffic from your internal network (192.168.1.0/24) to the Internet, you need to define an ACL that permits this traffic. This rule will allow devices on your LAN to initiate connections to external destinations. For example, you can allow all traffic from your LAN by matching the source IP address range (192.168.1.0/24) and specifying the outbound interface. If you want more granular control, you can restrict the ACL to allow only specific protocols (e.g., HTTP, HTTPS, or DNS) by specifying their port numbers.

Since ACLs are stateless, return traffic from the Internet must also be explicitly allowed. You need to create an ACL that permits traffic destined for your internal network (e.g., traffic with a destination IP of 192.168.1.10) and matches the ports and protocols of the previously initiated outbound connections. For example, if a user browses a website, the router needs to allow the return traffic from the website’s server to the user’s device.

ACLs should be applied to the router interfaces in the appropriate direction. For outbound traffic, apply the ACL on the LAN interface (FastEthernet0/1) in the in direction or on the WAN interface (FastEthernet0/0) in the out direction. For inbound traffic, apply the ACL on the WAN interface in the in direction. Ensure that the ACL rules are ordered correctly, as ACLs are processed sequentially... and the first matching rule will determine whether the traffic is allowed or denied !!!

---

Here’s an example: 

! Define ACL for outbound traffic from LAN to Internet
access-list 100 permit ip 192.168.1.0 0.0.0.255 any

! Define ACL for inbound traffic from Internet to LAN
access-list 101 permit udp any eq 53 192.168.1.0 0.0.0.255 eq 53
access-list 101 permit tcp any eq 80 192.168.1.0 0.0.0.255 gt 1023
access-list 101 permit tcp any eq 443 192.168.1.0 0.0.0.255 gt 1023

! Apply ACLs to the appropriate interfaces
interface FastEthernet0/0
 ip access-group 101 in  ! Inbound from Internet
!
interface FastEthernet0/1
 ip access-group 100 in  ! Outbound from LAN

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

with respect this not right 

the stateless ACL is not allow ANY for inboud and outbound 
@cigalahgroup 

https://codilime.com/blog/traffic-filtering-stateless-stateful-something-between/ <<- check this see some type of stateless ACL which can look like statfull ACL

MHM

It is right, but for learning purposes, you can start with a less restrictive ACL setup to better understand how traffic flows between your internal network and the Internet. This allows you to observe how traffic behaves, and gradually tighten the rules as you gain confidence...

Once you’ve analyzed the logs and understood which services are required, you can begin restricting outbound traffic by replacing the permit ip 192.168.1.0 0.0.0.255 any rule with specific port-based rules (e.g., permitting only HTTP, HTTPS, and DNS). This is an incremental approach that allows us to learn while still maintaining a functioning and secure network.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

cigalahgroup
Level 1
Level 1
access-list 101 permit tcp any eq 80 192.168.1.0 0.0.0.255 gt 1023

The above statement says permit port 80 from internet to lan WHAT i dont understand is you are using gt 1023 which means

well know port

What  if i dont use 1023 WHAT WILL happen ?

@cigalahgroup 

Using gt 1023 aligns the ACL more closely with the behavior of stateful firewalls by ensuring that only return traffic destined for ephemeral ports is allowed. If you omit gt 1023, you need to carefully evaluate and test your ACL to ensure that no unintended traffic is being allowed, especially on well-known ports. This might involve adding additional deny rules or explicitly permitting only the necessary ports.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

BTW, just want to note, whether this example ACE is good or not, depends on how secure you're trying to be and the nature of your legitimate traffic.

For example, perhaps you want to only accept traffic to ports above 49151, or another limited range and/or TCP established bit must be set.

Perhaps you need further ACEs to limit such traffic to and/or from specific IPs.

Often, for security, we start with a deny everything, with just some expected/necessary exceptions and log denied.  When someone complains the cannot access something, if we approve their access, we modify ACL(s) to permit.

Also BTW, without knowing internal topology, and where ACL applied, for even the sample ACE, destination (internal) subnet might not need to be explicitly defined.

To recap, for:

"Is it possible to use the ACL only without NAT to provide internet connection to the users ?"

Maybe, it depends. . .