Need Help with Access control list on Cisco router

kaushal13 · ‎12-13-2012

Hi All,

I am having some issues with creating an ACL for my gateway router.

Following is the scenario,

I want to block external access to my network 192.168.1.0/24 from internet so i set up the ACL on the WAN port of my 7200 router as

I am using named extened access list -

{

deny ip any 192.168.1.0 0.0.0.255 log

permit ip any any

}

and i applied this inbound accesslist on the WAN port of router as

"ip access-group acl-in in"

Now i have blocked the external traffic to my network 192.168.1.0/24 but the issue i am having is i am also unable to reach outside now.

All i want is to block external traffic on the router WAN port but allow internal traffic to outside.

Did i miss anything in the access list?

I dont have any other access list on other interfaces. Any input is appreciated!

Jeff Van Houten · ‎12-13-2012

Before your deny statement, add "permit tcp any any established".

Sent from Cisco Technical Support iPad App

kaushal13 · ‎12-13-2012

Thanks.. worked like a charm

manish arora · ‎12-13-2012

You should also allow DNS and NTP traffic for your network otherwise you will have issues again.
Google Reflexive and establish ACL for Cisco routers for more information.
Manish

Sent from Cisco Technical Support iPhone App

kaushal13 · ‎12-13-2012

Thanks Manish. Are the reflexive ACL's also as scalable as extended ACL?

I can only apply one either extended or reflexive acl on WAN port so wondering which one is more secure and scalable.

cadet alain · ‎12-14-2012

Hi,

I would rather use CBAC or Zone based Firewall to achieve this.

normal ACLs are stateless as you saw when applying your access-list inbound on the WAN, what reflexive ACL does is provide a stateful behaviour by dynamically creating ACL entries for return traffic but this is not as powerful and scalable as a full blown IOS firewall configuration( either CBAC or ZBF).

Regards.

Alain

Don't forget to rate helpful posts.