Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4424
Views
0
Helpful
3
Replies

Router ACL for outside Interface: Block inbound traffic

Jay Matrona
Level 1
Level 1

‎07-20-2011 07:29 PM - edited ‎03-04-2019 01:03 PM

On Friday we are cutting over to a new datacenter so, I need to block all inbound traffic from customers but allow the IPs from two locations that will need access during this shutdown.  One of these locations are already connected via a site to site tunnel.  My question is, what does my ACL need to include to block all inbound with the exception of one IP and could the ACL impact the connectivity via IPSec tunnel in any way, or is it exempt as long as the tunnel is up?

access-list 1 permit tcp host 111.222.333.444 any

access-list 1 deny ip any any

Then, do I apply it to both outside interfaces?  (we have two loadbalanced circuits using 2 interfaces)

Thanks!

Labels:
0 Helpful
3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

‎07-21-2011 01:07 AM

Jay

You have not given much information about your environment so our ability to really give helpful answers is limited. But I offer these observations and partial answers.

- to limit access you would usually use an inbound access list on the outside interface. There may be factors that point to a different approach but we do not know if any apply for your situation.

- some people might also use an outbound access list to control access but the inbound list is more important.

- if the VPN tunnel comes in on one of those outside interfaces then the access list would impact it. So you would need to permit VPN traffic.

- access list 1 would be a standard access list which can check only a single address field. To get the ability to do ip any any you would need an extended access list perhaps access list 101

HTH

Rick

Sent from Cisco Technical Support iPhone App

HTH

Rick
0 Helpful

Jay Matrona
Level 1
Level 1
In response to Richard Burts

‎07-21-2011 05:59 AM

Sorry for the lack of info and thanks for the response.  I want to apply this to both outside interfaces on the edge router.

If I do that, no traffic gets into the production environment.  It sounds like I need to create an ACL permitting all IPs including those using the tunnel and then a deny all statement at the end.  Does this sound correct?  Did I have the form correct above?

0 Helpful

Latchum Naidu
VIP Alumni
VIP Alumni
In response to Jay Matrona

‎07-21-2011 06:05 AM

Hi Jay,

That will do good for your scenario. I have done the same on my wan interface like below.

ip access-list extended Outside_access
permit ip 125.63.193.0 0.0.0.15 host 193.114.18.5
permit ip 85.218.151.0 0.0.0.255 host 193.114.18.5
permit ip host 150.101.196.135 host 193.114.18.5
permit ip host 125.7.90.33 host 193.114.18.5
permit ip host 125.7.90.37 host 193.114.18.5
deny ip any any


int GigabitEthernet0/0
ip access-group Outside_access in


But you need to make sure while defining the rules because you need to allow all the necessary IP's (like your remote tunnel IP's and required subnets.

Please rate the helpfull posts.
Regards,
Naidu.

0 Helpful
Customers Also Viewed These Support Documents