Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
5567
Views
3
Helpful
4
Replies

How to configure ACL for internet facing edge router port?

Go to solution
CiscoBrownBelt
Level 6
Level 6

‎08-25-2017 08:45 AM - edited ‎03-05-2019 09:02 AM

What is the best way to create an ACL to be used on an internet facing edge port to keep the logs down when packets are denied from devices not permitted according to the ACL? Shall I just enter permit statements allowing for internal to external comms then block everything else?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul driver
VIP
VIP

‎08-26-2017 08:21 AM

Hello

I would be concerned with inbound traffic then outbound on a internet facing port.
For egress you can as shown allow any traffic originating fro you internal network or specific subnets and then deny everything else.

For ingress, I would suggest deny everything other then bi directional traffic such a routing protocols.
So do that you can implement a software ios feature such as CBAC, which will ONLY by default allow return traffic initiated from inside you network back in.

Simple CBAC configuration would be.

ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC icmp

ip access-list extended WAN
permit ospf any any
deny  ip any any


ip access-list extended LAN
permit ip x.x.x.0 0.0.0.255 any
deny  ip any any log-input  <-more granular for the ace entries


interface x/x
description WAN Interface (ospf)
ip access-group WAN in


interface x/x
description LAN Interface
ip inspect CBAC in
ip access-group LAN in

res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

4 Replies 4

Go to solution
Julio E. Moisa
VIP Alumni
VIP Alumni

‎08-25-2017 05:09 PM - edited ‎08-25-2017 05:16 PM

Hi 

Your current ACL will allow the access just to the authorized entries, by default there is an implicit deny entry at the end of the ACL, now you can include a deny at the bottom to log the deny.

 

ip access-list 100 permit ip host 1.1.1.1 any

ip access-list 100 deny ip any any log

 

interface g0/0

ip access-group 100 out

 

The following link can be useful

https://www.cisco.com/c/en/us/about/security-center/access-control-list-logging.html

 

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Go to solution
paul driver
VIP
VIP

‎08-26-2017 08:21 AM

Hello

I would be concerned with inbound traffic then outbound on a internet facing port.
For egress you can as shown allow any traffic originating fro you internal network or specific subnets and then deny everything else.

For ingress, I would suggest deny everything other then bi directional traffic such a routing protocols.
So do that you can implement a software ios feature such as CBAC, which will ONLY by default allow return traffic initiated from inside you network back in.

Simple CBAC configuration would be.

ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC icmp

ip access-list extended WAN
permit ospf any any
deny  ip any any


ip access-list extended LAN
permit ip x.x.x.0 0.0.0.255 any
deny  ip any any log-input  <-more granular for the ace entries


interface x/x
description WAN Interface (ospf)
ip access-group WAN in


interface x/x
description LAN Interface
ip inspect CBAC in
ip access-group LAN in

res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to paul driver

‎08-26-2017 01:31 PM

Perhaps there is something for this thread that I am not understanding correctly. Julio provides a good suggestion which answers a question about how to create log entries when something is denied. And Paul provides a good suggestion about CBAC which answers a question about good ways to configure protection for the router. But as I understand the post it is asking a different question. It seems to me that the most important part of the original post is this "to keep the logs down when packets are denied". And the answer to that is simply to not use the log parameter on entries in the ACL which deny packets. If I am not understanding correctly then please help me understand better.

 

HTH

 

Rick

HTH

Rick

Go to solution
CiscoBrownBelt
Level 6
Level 6
In response to Richard Burts

‎08-29-2017 09:59 AM

Yes you are on spot. I DO want to keep the logs down and that ties in with best practices for ACLs or configs to be used on internet/WAN ports. I DON'T want a long ACL (adding deny statements for suspicious addresses that arise, etc.) and thought I would just alllow what needs to be allowed then block everything else.

0 Helpful
Customers Also Viewed These Support Documents
Top