Router ACL Security Question???

Answered Question
Jun 30th, 2010
User Badges:

                     Hello All,


I have a  2851 ISR Router and this router needs to act as a firewall. I do not have a firewall between my inside network and out internet. Can anyone tell me how to go about denying traffic from the outside to my inside network using a simple ACL while allowing all other traffic defined in my other ACL'S?

Correct Answer by Federico Coto F... about 6 years 10 months ago

If you want to just permit a few things and deny everything else, you should avoid the permit ip any any.

The implicit deny will take care of everything not specified in the ACL as permit.


You need to careful because only traffic specified in the ACL will be able to pass through the router.


The IOS Firewall feature is nice because the router will allow traffic to pass through and allow the replies back even though they are not explicitly permitted in the ACL. So, the router keeps a stateful table for the connections (turn it into a sort of Firewall).


Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Federico Coto F... Wed, 06/30/2010 - 10:08
User Badges:
  • Green, 3000 points or more

Hi,


You can create an ACL where you first define all the traffic that is permitted. Then everything that is not specified in the ACL is going to be denied by default.

Depending on the IOS, you can configure ZBF which essentially turns the router in an IOS Firewall device.


Federico.

Charlie Mayes Wed, 06/30/2010 - 10:11
User Badges:

So are you saying I need to avoid using the permit ip any any statement? This way the implicit deny will block everything else.

Correct Answer
Federico Coto F... Wed, 06/30/2010 - 10:14
User Badges:
  • Green, 3000 points or more

If you want to just permit a few things and deny everything else, you should avoid the permit ip any any.

The implicit deny will take care of everything not specified in the ACL as permit.


You need to careful because only traffic specified in the ACL will be able to pass through the router.


The IOS Firewall feature is nice because the router will allow traffic to pass through and allow the replies back even though they are not explicitly permitted in the ACL. So, the router keeps a stateful table for the connections (turn it into a sort of Firewall).


Federico.

Actions

This Discussion