Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1017
Views
0
Helpful
5
Replies

ACL Reflex, Inspect or Simple

imranraheel
Level 1
Level 1

‎10-28-2010 01:50 PM - edited ‎03-11-2019 12:02 PM

I have to implement an ACL which allows all the outbound connection but restrictions on the inbound connection , so eventuall i will allow few hosts to access my internal network. The specified ACL will be applied on the outside interface of the route in the inbound direction . The only issue in my mind is , would this ACL will block the inbound traffic access which is generated in response of the request generated by the internal host like FTP request from inside to out side HTTP request POP request would that be blocked ?

Expert openion required.

Thanks in advance.

Labels:
0 Helpful
5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

‎10-28-2010 03:41 PM 

imranraheel wrote:
I have to implement an ACL which allows all the outbound connection but restrictions on the inbound connection , so eventuall i will allow few hosts to access my internal network. The specified ACL will be applied on the outside interface of the route in the inbound direction . The only issue in my mind is , would this ACL will block the inbound traffic access which is generated in response of the request generated by the internal host like FTP request from inside to out side HTTP request POP request would that be blocked ?
Expert openion required.
Thanks in advance.

Depends on your acl. But with a basic acl if you apply an acl inbound to the outside interface yes you would need to allow rules to allow the return traffic. This can be problematic especially with the internet because you end up having to add more and more rules to the acl to account for return traffic.

Ignoring the "established" keyword the next step up is reflexive acl's which will dynamically allow the outbound traffic back in. The next step up from that is a stateful firewall which will do what reflexive acl's can do but a lot more as well in terms of inspection of traffic etc.

If you are connecting to the internet you really should be looking at a stateful firewall to protect your internal LAN whether that be a dedicated firewall such as the ASA or the firewall feature set on a router.

Jon

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee

‎10-28-2010 09:41 PM

Hello,

Good day It depends, really really really depends. If you have an ASA firewall, as long as you have a NAT translation to go out (supposing that you have the inside network with a security level 100 and the outside as 0) everything going to the internet will be permitted, and all inbound traffic will be denied by default, no access list needed. In order to allow traffic you only need to apply one access list inbound on the outside interface in order to allow the traffic coming in. The ASA has inspections for FTP and so on so all the access will be permitted and inspected and also if any new data channel needs to be opened the firewall will do it dynamically.

On a router environment, you can accomplish this as well really easy doing CBAC and making your life a lot easy. You basically will have an inspection applied outbound and then the acl applied inbound denying all the traffic or permitting the things that you need. Then, the inspections will do the same thing as they do on the firewall, if protocols like FTP need to open a new data channel it will be done automatically.


In both cases using inspection, as long as the traffic is being inspected, the return traffic always will be allowed.

Here is a basic configuration for CBAC supposing int fa 4 is the outside

Ip inspect FW tfp

ip inspect FW udp

Ip inspect FW tcp

access-list 101 deny ip any any

int fa 4

ip inspect FW out

ip access-group 101 in

If you have any doubts, please feel free to post.

Mike.

Mike
0 Helpful

imranraheel
Level 1
Level 1
In response to Maykol Rojas

‎10-29-2010 06:38 AM

Thanks Maykol

SO you think inspect will work fine for my scenerion and wouter will act as a statefull firewall.

Also is it possible to see all the outbound traffic and than the response to fine out if it is blocked or not.

Thanks

0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee
In response to imranraheel

‎10-29-2010 10:33 AM

You can do "sh ip inspect sessions" to see the established sessions that are allowed.

You can enabled "ip log drop pack" to see the dropped inbound packets in the logs.

I hope it helps.

PK

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to Panos Kampanakis

‎10-29-2010 10:37 AM

Hello,

Yes, Panos is totally right. That is the way how you check the sessions that are being allowed, and with the ip inspect log drop-pkt and doing a term mon, you will be able to see what is being deny.

Hope this makes sense.

Any doubts please let me know.

Mike.

Mike
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card