Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
412
Views
0
Helpful
4
Replies

Router ACL Security Question???

Go to solution
Charlie Mayes
Level 1
Level 1

‎06-30-2010 09:59 AM - edited ‎03-04-2019 08:56 AM

                     Hello All,

I have a  2851 ISR Router and this router needs to act as a firewall. I do not have a firewall between my inside network and out internet. Can anyone tell me how to go about denying traffic from the outside to my inside network using a simple ACL while allowing all other traffic defined in my other ACL'S?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to Charlie Mayes

‎06-30-2010 10:14 AM

If you want to just permit a few things and deny everything else, you should avoid the permit ip any any.

The implicit deny will take care of everything not specified in the ACL as permit.

You need to careful because only traffic specified in the ACL will be able to pass through the router.

The IOS Firewall feature is nice because the router will allow traffic to pass through and allow the replies back even though they are not explicitly permitted in the ACL. So, the router keeps a stateful table for the connections (turn it into a sort of Firewall).

Federico.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎06-30-2010 10:08 AM

Hi,

You can create an ACL where you first define all the traffic that is permitted. Then everything that is not specified in the ACL is going to be denied by default.

Depending on the IOS, you can configure ZBF which essentially turns the router in an IOS Firewall device.

Federico.

0 Helpful

Go to solution
Charlie Mayes
Level 1
Level 1
In response to Federico Coto Fajardo

‎06-30-2010 10:11 AM

So are you saying I need to avoid using the permit ip any any statement? This way the implicit deny will block everything else.

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to Charlie Mayes

‎06-30-2010 10:14 AM

If you want to just permit a few things and deny everything else, you should avoid the permit ip any any.

The implicit deny will take care of everything not specified in the ACL as permit.

You need to careful because only traffic specified in the ACL will be able to pass through the router.

The IOS Firewall feature is nice because the router will allow traffic to pass through and allow the replies back even though they are not explicitly permitted in the ACL. So, the router keeps a stateful table for the connections (turn it into a sort of Firewall).

Federico.

0 Helpful

Go to solution
Charlie Mayes
Level 1
Level 1
In response to Federico Coto Fajardo

‎06-30-2010 10:17 AM

           Thanks.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card