Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2424
Views
0
Helpful
2
Replies

RVS4000 Firewall ACL Question

Go to solution
bmurray2_home
Level 1
Level 1

‎04-20-2010 08:54 PM

I'm working to setup and configure an RVS4000 for a friend and wanted to verify my understanding of the firewall section.  It <seems> by default the firewall allows traffic from any source to any destination, including from the WAN.  I realize with NAT this isn't a huge concern / shouldn't be the case... however I tend to prefer tighter standards rather than looser.

I wanted to ensure that it allowed internally initiated traffic outbound, and external traffic inbound dropped so I created the rules as shown attached file.  Am I looking at this correctly?  Is the Firewall ACL section for setting up a stateful firewall or is it just pure ACL's and the last rule from the WAN is required for returning traffic back in which has already been through the NAT engine?

If someone could please help me clear this one little detail up I would be greatly appreciative.

Thanks in advance.

Labels:
Preview file
79 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Alejandro Gallego
Cisco Employee
Cisco Employee

‎04-23-2010 11:39 AM

The ACL is just that ACLs. The rules you made are fine, the difference with your set up and the default is that you are explicitly denying the traffic; which is not a bed idea. On that note, that does not mean that the traffic was explicitly allowed before (default config).

Before any rules are created a "deny any any" is already in place but not displayed. This is typical of the small business and consumer routers. The only thing I would change is instead of suplying the subnet, just set it to "any".

Hope this helps.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Alejandro Gallego
Cisco Employee
Cisco Employee

‎04-23-2010 11:39 AM

The ACL is just that ACLs. The rules you made are fine, the difference with your set up and the default is that you are explicitly denying the traffic; which is not a bed idea. On that note, that does not mean that the traffic was explicitly allowed before (default config).

Before any rules are created a "deny any any" is already in place but not displayed. This is typical of the small business and consumer routers. The only thing I would change is instead of suplying the subnet, just set it to "any".

Hope this helps.

0 Helpful

Go to solution
bmurray2_home
Level 1
Level 1
In response to Alejandro Gallego

‎04-26-2010 07:16 PM

Thank you, that's essentially what I found.  I ended up trying it both with and without the "catch all rule / cleanup rule" with similar results however a few protocols didn't seem as happy with it configured that way.  I did verify that in both cases traffic IS blocked to non-allowed ports using nmap, so either configuration seems ok.

Thanks again

0 Helpful
Customers Also Viewed These Support Documents