I am having some issues with creating an ACL for my gateway router.
Following is the scenario,
I want to block external access to my network 192.168.1.0/24 from internet so i set up the ACL on the WAN port of my 7200 router as
I am using named extened access list -
deny ip any 192.168.1.0 0.0.0.255 log
permit ip any any
and i applied this inbound accesslist on the WAN port of router as
"ip access-group acl-in in"
Now i have blocked the external traffic to my network 192.168.1.0/24 but the issue i am having is i am also unable to reach outside now.
All i want is to block external traffic on the router WAN port but allow internal traffic to outside.
Did i miss anything in the access list?
I dont have any other access list on other interfaces. Any input is appreciated!
You should also allow DNS and NTP traffic for your network otherwise you will have issues again.
Google Reflexive and establish ACL for Cisco routers for more information.
Sent from Cisco Technical Support iPhone App
Thanks Manish. Are the reflexive ACL's also as scalable as extended ACL?
I can only apply one either extended or reflexive acl on WAN port so wondering which one is more secure and scalable.
I would rather use CBAC or Zone based Firewall to achieve this.
normal ACLs are stateless as you saw when applying your access-list inbound on the WAN, what reflexive ACL does is provide a stateful behaviour by dynamically creating ACL entries for return traffic but this is not as powerful and scalable as a full blown IOS firewall configuration( either CBAC or ZBF).
Don't forget to rate helpful posts.