10-28-2010 01:50 PM - edited 03-11-2019 12:02 PM
I have to implement an ACL which allows all the outbound connection but restrictions on the inbound connection , so eventuall i will allow few hosts to access my internal network. The specified ACL will be applied on the outside interface of the route in the inbound direction . The only issue in my mind is , would this ACL will block the inbound traffic access which is generated in response of the request generated by the internal host like FTP request from inside to out side HTTP request POP request would that be blocked ?
Expert openion required.
Thanks in advance.
10-28-2010 03:41 PM
imranraheel wrote:
I have to implement an ACL which allows all the outbound connection but restrictions on the inbound connection , so eventuall i will allow few hosts to access my internal network. The specified ACL will be applied on the outside interface of the route in the inbound direction . The only issue in my mind is , would this ACL will block the inbound traffic access which is generated in response of the request generated by the internal host like FTP request from inside to out side HTTP request POP request would that be blocked ?
Expert openion required.
Thanks in advance.
Depends on your acl. But with a basic acl if you apply an acl inbound to the outside interface yes you would need to allow rules to allow the return traffic. This can be problematic especially with the internet because you end up having to add more and more rules to the acl to account for return traffic.
Ignoring the "established" keyword the next step up is reflexive acl's which will dynamically allow the outbound traffic back in. The next step up from that is a stateful firewall which will do what reflexive acl's can do but a lot more as well in terms of inspection of traffic etc.
If you are connecting to the internet you really should be looking at a stateful firewall to protect your internal LAN whether that be a dedicated firewall such as the ASA or the firewall feature set on a router.
Jon
10-28-2010 09:41 PM
Hello,
Good day It depends, really really really depends. If you have an ASA firewall, as long as you have a NAT translation to go out (supposing that you have the inside network with a security level 100 and the outside as 0) everything going to the internet will be permitted, and all inbound traffic will be denied by default, no access list needed. In order to allow traffic you only need to apply one access list inbound on the outside interface in order to allow the traffic coming in. The ASA has inspections for FTP and so on so all the access will be permitted and inspected and also if any new data channel needs to be opened the firewall will do it dynamically.
On a router environment, you can accomplish this as well really easy doing CBAC and making your life a lot easy. You basically will have an inspection applied outbound and then the acl applied inbound denying all the traffic or permitting the things that you need. Then, the inspections will do the same thing as they do on the firewall, if protocols like FTP need to open a new data channel it will be done automatically.
In both cases using inspection, as long as the traffic is being inspected, the return traffic always will be allowed.
Here is a basic configuration for CBAC supposing int fa 4 is the outside
Ip inspect FW tfp
ip inspect FW udp
Ip inspect FW tcp
access-list 101 deny ip any any
int fa 4
ip inspect FW out
ip access-group 101 in
If you have any doubts, please feel free to post.
Mike.
10-29-2010 06:38 AM
Thanks Maykol
SO you think inspect will work fine for my scenerion and wouter will act as a statefull firewall.
Also is it possible to see all the outbound traffic and than the response to fine out if it is blocked or not.
Thanks
10-29-2010 10:33 AM
You can do "sh ip inspect sessions" to see the established sessions that are allowed.
You can enabled "ip log drop pack" to see the dropped inbound packets in the logs.
I hope it helps.
PK
10-29-2010 10:37 AM
Hello,
Yes, Panos is totally right. That is the way how you check the sessions that are being allowed, and with the ip inspect log drop-pkt and doing a term mon, you will be able to see what is being deny.
Hope this makes sense.
Any doubts please let me know.
Mike.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide