ACL on inside LAN - to allow only reply to outside interface request

Unanswered Question
May 21st, 2012

dear friends..

i want suggestions on best practice... i am doubting that my internal network has some virus or trozen .. and from my router all traffic is allowed from inside to outside .. and from outside only couple of ports and established connections ..

my requirement is .. i want to take out the possibility of my router sending the garbage out to wan link which is actually blocking my link .. what is the best way to do the same... plz advise.. how you guys do in your environment... can we only allow the reply to my ports which i have allowed on my outside wan port.. so at least i will be sure that no etra traffic is going out. please advise.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Nandan Mathure Mon, 05/21/2012 - 09:51

I am not too sure if it is really scalable to keep blocking ports. I would recommend a filter device inline with the router which could be scanning the traffic all the time or some inline cards.  You can also check open source solutions like untangle.

Also lets see what other think..

Thanks,

Nandan.

jatinkumar Mon, 05/21/2012 - 10:07

hey nandan now sure if u understood my requirement .. i know this is possible with router.. not getting idea how .. any idea from team ..../

plz advise

dancicioiu Mon, 05/21/2012 - 10:43

Hi,

The thing is that the trojan is initiating the traffic from inside , so there is no real use to filter the traffic from the outside to inside. A good think will be to restrict the users to some well known destination ports to the internet : tcp 80 , tcp 443 , tcp 21/20. A better way to offer internet access to the users is Proxy -  you can inspect and restrict the user access.

Dan

jatinkumar Mon, 05/21/2012 - 11:14

hi DAN .. as such i dont have much frm inside to send to outside ... the way my setup is .. i have two rewuirements..

1. exchage .. so ppl connect from outside ... so on, outside port i allowed 443/25 and dns

2. ppl RDP to public ip which are on inside LAN ..

now my requiremnt is no to allow any thing from inside interface to send to outside WAN .. so doing this .. will atleast give me some confidence that the traffic which is gooing out is correct .. any suggestions

Actions

Login or Register to take actions

This Discussion

Posted May 21, 2012 at 9:32 AM
Stats:
Replies:4 Avg. Rating:
Views:424 Votes:0
Shares:0
Tags: ios, acl, nat, router, 1841
+
Categories: Routers
+

Related Content

Discussions Leaderboard