Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started.

New Member

ACL issue with Router 2801

I have to implement an ACL on my router and have to block all the incoming access except some protocols.

Sample ACL is listed below

permit tcp any 29.165.175.0 0.0.0.255 eq 443

permit tcp any 29.165.175.0 0.0.0.255 eq 9000

permit icmp any any echo-reply

deny ip any any

The ACLs will be applied on “in” of the “outside interface”.

I just want to know whould it block the inbound request generated in return of the traffic which will be generated from inside, like if I browse cisco.com, would the request be blocked when the website contants try to come in from outside.

Do i have to use established statement or reflex access list.

Let me know please

Thanks in Advance

  • Firewalling
12 REPLIES
Cisco Employee

Re: ACL issue with Router 2801

Yes, return traffic will be blocked. I would suggest using inspect outbound in order to allow return traffic that is in response to an outbound connection (reflexive ACLs used to do it but they are deprecated now).

Here is a sample:

ip inspect name FW tcp

ip inspect name FW tcp

ip inspect name FW dns

ip inspect name FW

interface eth0/1

  description Outside

  ip inspect FW out

  ip access-group xxx in

I hope it helps.

PK

New Member

Re: ACL issue with Router 2801

Thanks it make scence

Cisco Employee

Re: ACL issue with Router 2801

if you are ok with it you can enable a bsic firewall

on the router thus making it stateful, this will work

use the following

ip inspect name fw dns

ip inspect name fw tcp

ip inspect name fw udp

ip inspect name fw icmp

and apply tihs on the outsid einterface in outbound

int fa0

ip inspect fw out

ip access-group 100 in

whr acl 100 wiull haev permt for out to in connections and deny for rest

this way you will make your router stateful and secure in to out return traffic is permitted

New Member

Re: ACL issue with Router 2801

thanks its every helpful

New Member

Re: ACL issue with Router 2801

What about Active and Passive FTP

Cisco Employee

Re: ACL issue with Router 2801

inspect ftp but agian depends

where exactly your server is whether inside or outside

Cisco Employee

Re: ACL issue with Router 2801

make sure the more specific one like dns,ftp,http etc come first then comes the more generic one's like tcp and udp

Cisco Employee

Re: ACL issue with Router 2801

You can add

ip inspect name FW ftp

Please mark this as answered if it is, for the benefit of others.

PK

New Member

Re: ACL issue with Router 2801

Just to be specific

ip inspect name FW          rule is for all the inbound traffic which is generated in response of the outbound access.

479
Views
0
Helpful
12
Replies