10-07-2012 12:50 AM - edited 03-07-2019 09:19 AM
I want to create an extended access-list because I may have been internally breached as I see SSH, UDP, TCP going back and forth in wireshark from unknown addresses. I have two questions.
#1 - Can I block all protocols without explicitly naming all of them?
#2 - Do I need to make two access lists?
#3 - If #2 is YES then a third question would be...... How does it know which is IN traffic and which is OUT traffic?
Solved! Go to Solution.
10-07-2012 01:34 AM
Hi Erik,
for answering your questions. I assume you are referring to the router.
#1 - Can I block all protocols without explicitly naming all of them?
Ans: deny ip any any will block the entire IP protocol which includes TCP/UDP/ICP... etc. But not all the router will be working as stateful. So you need to define the ACL which should restrict in such a way to make that work and at last you can define deny ip any any to block unwanted traffic.
#2 - Do I need to make two access lists?
Ans: You can have outbound and inbound ACL if you want to specify the required traffic.
#3 - If #2 is YES then a third question would be...... How does it know which is IN traffic and which is OUT traffic?
Ans:Your inside network connected interface ACL will be considered as out traffic and ISP connected interface ACL will be the in traffic.
But if you have the firewall you can have ACL for outbound on inside interface and you can block all in inbound which will not affect anything which goes out from inside LAN. I mean it will be stateful and it will not block the inbound traffic which initiated from inside.
Please do rate if the given information helps.
By
Karthik
10-07-2012 03:44 AM
You can block the protocols usign range of ports as below
The below one first permits your range of ports for udp and tcp, then block all the ports
access-lis 101 permit tcp .....
Access-list 101 permit udp------
access-list 101 deny tcp any any range 0 65535
access-list 101 deny udp any any range 0 65535
access-list 101 permit ip any any
There is one more acl which can be used for tcp which basically allow the traffic only for established traffic
access-list 101 permit tcp any any established
many permutation combinations are availble. Think the options which matches your requirement and implement it
***don't forget to mark the query as answered if your query is answered****
10-07-2012 01:34 AM
Hi Erik,
for answering your questions. I assume you are referring to the router.
#1 - Can I block all protocols without explicitly naming all of them?
Ans: deny ip any any will block the entire IP protocol which includes TCP/UDP/ICP... etc. But not all the router will be working as stateful. So you need to define the ACL which should restrict in such a way to make that work and at last you can define deny ip any any to block unwanted traffic.
#2 - Do I need to make two access lists?
Ans: You can have outbound and inbound ACL if you want to specify the required traffic.
#3 - If #2 is YES then a third question would be...... How does it know which is IN traffic and which is OUT traffic?
Ans:Your inside network connected interface ACL will be considered as out traffic and ISP connected interface ACL will be the in traffic.
But if you have the firewall you can have ACL for outbound on inside interface and you can block all in inbound which will not affect anything which goes out from inside LAN. I mean it will be stateful and it will not block the inbound traffic which initiated from inside.
Please do rate if the given information helps.
By
Karthik
10-07-2012 01:34 AM
Hi
I am not sure but think u can block by this command:
access-list 100 deny ip any any
Try it
Regards
10-07-2012 03:44 AM
You can block the protocols usign range of ports as below
The below one first permits your range of ports for udp and tcp, then block all the ports
access-lis 101 permit tcp .....
Access-list 101 permit udp------
access-list 101 deny tcp any any range 0 65535
access-list 101 deny udp any any range 0 65535
access-list 101 permit ip any any
There is one more acl which can be used for tcp which basically allow the traffic only for established traffic
access-list 101 permit tcp any any established
many permutation combinations are availble. Think the options which matches your requirement and implement it
***don't forget to mark the query as answered if your query is answered****
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide