cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to the Cisco Small Business Community

Have a question? Click on a topic board below to get started in the community.

822
Views
0
Helpful
1
Replies
theitmedic
Beginner

Outside NAT and inbound ACL's - Best Practices

Could someone tell me what the best practices are for access lists that would be applied to the iinterface that is NATing to the Internet. I would like to protect against all potential threats from the Internet while still allow traffic from the inside to the outside.

interface fastethernet0/1

description outside Internet facing interface

ip address dhcp

ip nat outside

ip access-group in 101

ip access-list 101 xxxxxx (what best practice filters should I use to protect myself)

Thank you

1 REPLY 1
rmanthey
Enthusiast

This configuration you typed up looks like an IOS configuration from an enterprise device. Most small business products have limited CLI configurations.

For enterprise devices you should look at the forums for enterprise.

As a basic rule for all router devices, and ACL’s; you want the more specific ACLs to be read first, so at the top.  If you are filtering a Server on a certain port, like http port 80, then that goes higher than broader ACL’s. The second part is you want the most traffic ACL’s also towards the top. For instance, when you have a high traffic web server, and a FTP server that isn’t used as much, you would want the HTTP ACL allowing access to the web server above the FTP server. The reason for this is you reduce the load on the router. The traffic is analyzed by the router and compares the information to the ACL’s in a top down fashion. When the traffic matches a ACL it exits the ACL lookup. The more and faster you can have the traffic match and exit this process the better performance you will get out of your router.

ACL’s and NAT’s are one way. You can apply rules to both interfaces. Small business devices have some limitations on configuration, with this process. Each product has some variation in the configuration options.  For further assistance more information would be needed; like the model of device you are trying to configure, and the solution you are trying to reach.