Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
622
Views
4
Helpful
3
Replies

ACL using extended list

Go to solution
dialtelusa
Level 1
Level 1

‎10-07-2012 12:50 AM - edited ‎03-07-2019 09:19 AM

I want to create an extended access-list because I may have been internally breached as I see SSH, UDP, TCP going back and forth in wireshark from unknown addresses. I have two questions.

#1 - Can I block all protocols without explicitly naming all of them?

#2 - Do I need to make two access lists?

#3 - If #2 is YES then a third question would be...... How does it know which is IN traffic and which is OUT traffic?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
nkarthikeyan
Level 7
Level 7

‎10-07-2012 01:34 AM

Hi Erik,

for answering your questions. I assume you are referring to the router.

#1 - Can I block all protocols without explicitly naming all of them?

Ans: deny ip any any will block the entire IP protocol which includes TCP/UDP/ICP... etc. But not all the router will be working as stateful. So you need to define the ACL which should restrict in such a way to make that work and at last you can define deny ip any any to block unwanted traffic.

#2 - Do I need to make two access lists?

Ans: You can have outbound and inbound ACL if you want to specify the required traffic.

#3 - If #2 is YES then a third question would be...... How does it know which is IN traffic and which is OUT traffic?

Ans:Your inside network connected interface ACL will be considered as out traffic and ISP connected  interface ACL will be the in traffic.

But if you have the firewall you can have ACL for outbound on inside interface and you can block all in inbound which will not affect anything which goes out from inside LAN. I mean it will be stateful and it will not block the inbound traffic which initiated from inside.

Please do rate if the given information helps.

By

Karthik

View solution in original post

0 Helpful

Go to solution
Raju Sekharan
Cisco Employee
Cisco Employee

‎10-07-2012 03:44 AM

You can block the protocols usign range of ports as below

The below one first permits your  range of ports for udp and tcp, then block all the ports

access-lis 101 permit tcp .....

Access-list 101 permit udp------

access-list 101 deny   tcp any any range 0 65535

access-list 101 deny   udp any any range 0 65535

access-list 101 permit ip any any

There is one more acl which can be used for tcp which basically allow the traffic only for established traffic

access-list 101 permit tcp any any established

many permutation combinations are availble. Think the options which matches your requirement and implement it

***don't forget to mark the query as answered if your query is answered****

View solution in original post

3 Replies 3

Go to solution
nkarthikeyan
Level 7
Level 7

‎10-07-2012 01:34 AM

Hi Erik,

for answering your questions. I assume you are referring to the router.

#1 - Can I block all protocols without explicitly naming all of them?

Ans: deny ip any any will block the entire IP protocol which includes TCP/UDP/ICP... etc. But not all the router will be working as stateful. So you need to define the ACL which should restrict in such a way to make that work and at last you can define deny ip any any to block unwanted traffic.

#2 - Do I need to make two access lists?

Ans: You can have outbound and inbound ACL if you want to specify the required traffic.

#3 - If #2 is YES then a third question would be...... How does it know which is IN traffic and which is OUT traffic?

Ans:Your inside network connected interface ACL will be considered as out traffic and ISP connected  interface ACL will be the in traffic.

But if you have the firewall you can have ACL for outbound on inside interface and you can block all in inbound which will not affect anything which goes out from inside LAN. I mean it will be stateful and it will not block the inbound traffic which initiated from inside.

Please do rate if the given information helps.

By

Karthik

0 Helpful

Go to solution
Sandeep Choudhary
VIP Alumni
VIP Alumni

‎10-07-2012 01:34 AM

Hi

I am not sure but think u can block by this command:

access-list 100 deny ip any any

Try it

Regards

0 Helpful

Go to solution
Raju Sekharan
Cisco Employee
Cisco Employee

‎10-07-2012 03:44 AM

You can block the protocols usign range of ports as below

The below one first permits your  range of ports for udp and tcp, then block all the ports

access-lis 101 permit tcp .....

Access-list 101 permit udp------

access-list 101 deny   tcp any any range 0 65535

access-list 101 deny   udp any any range 0 65535

access-list 101 permit ip any any

There is one more acl which can be used for tcp which basically allow the traffic only for established traffic

access-list 101 permit tcp any any established

many permutation combinations are availble. Think the options which matches your requirement and implement it

***don't forget to mark the query as answered if your query is answered****

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card