Solved: Re: How to configure ACL for internet facing edge router port?

CiscoPurpleBelt · ‎08-25-2017

What is the best way to create an ACL to be used on an internet facing edge port to keep the logs down when packets are denied from devices not permitted according to the ACL? Shall I just enter permit statements allowing for internal to external comms then block everything else?

paul driver · ‎08-26-2017

Hello

I would be concerned with inbound traffic then outbound on a internet facing port.
For egress you can as shown allow any traffic originating fro you internal network or specific subnets and then deny everything else.

For ingress, I would suggest deny everything other then bi directional traffic such a routing protocols.
So do that you can implement a software ios feature such as CBAC, which will ONLY by default allow return traffic initiated from inside you network back in.

Simple CBAC configuration would be.

ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC icmp

ip access-list extended WAN
permit ospf any any
deny ip any any

ip access-list extended LAN
permit ip x.x.x.0 0.0.0.255 any
deny ip any any log-input <-more granular for the ace entries

interface x/x
description WAN Interface (ospf)
ip access-group WAN in

interface x/x
description LAN Interface
ip inspect CBAC in
ip access-group LAN in

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Julio E. Moisa · ‎08-25-2017

Hi

Your current ACL will allow the access just to the authorized entries, by default there is an implicit deny entry at the end of the ACL, now you can include a deny at the bottom to log the deny.

ip access-list 100 permit ip host 1.1.1.1 any

ip access-list 100 deny ip any any log

interface g0/0

ip access-group 100 out

The following link can be useful

https://www.cisco.com/c/en/us/about/security-center/access-control-list-logging.html

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

paul driver · ‎08-26-2017

Hello

I would be concerned with inbound traffic then outbound on a internet facing port.
For egress you can as shown allow any traffic originating fro you internal network or specific subnets and then deny everything else.

For ingress, I would suggest deny everything other then bi directional traffic such a routing protocols.
So do that you can implement a software ios feature such as CBAC, which will ONLY by default allow return traffic initiated from inside you network back in.

Simple CBAC configuration would be.

ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC icmp

ip access-list extended WAN
permit ospf any any
deny ip any any

ip access-list extended LAN
permit ip x.x.x.0 0.0.0.255 any
deny ip any any log-input <-more granular for the ace entries

interface x/x
description WAN Interface (ospf)
ip access-group WAN in

interface x/x
description LAN Interface
ip inspect CBAC in
ip access-group LAN in

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Richard Burts · ‎08-26-2017

Perhaps there is something for this thread that I am not understanding correctly. Julio provides a good suggestion which answers a question about how to create log entries when something is denied. And Paul provides a good suggestion about CBAC which answers a question about good ways to configure protection for the router. But as I understand the post it is asking a different question. It seems to me that the most important part of the original post is this "to keep the logs down when packets are denied". And the answer to that is simply to not use the log parameter on entries in the ACL which deny packets. If I am not understanding correctly then please help me understand better.

HTH

Rick

HTH

Rick

CiscoPurpleBelt · ‎08-29-2017

Yes you are on spot. I DO want to keep the logs down and that ties in with best practices for ACLs or configs to be used on internet/WAN ports. I DON'T want a long ACL (adding deny statements for suspicious addresses that arise, etc.) and thought I would just alllow what needs to be allowed then block everything else.