Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACL Reflex, Inspect or Simple

I have to implement an ACL which allows all the outbound connection but restrictions on the inbound connection , so eventuall i will allow few hosts to access my internal network. The specified ACL will be applied on the outside interface of the route in the inbound direction . The only issue in my mind is , would this ACL will block the inbound traffic access which is generated in response of the request generated by the internal host like FTP request from inside to out side HTTP request POP request would that be blocked ?

Expert openion required.

Thanks in advance.

  • Firewalling
5 REPLIES
Hall of Fame Super Blue

Re: ACL Reflex, Inspect or Simple

imranraheel wrote:

I have to implement an ACL which allows all the outbound connection but restrictions on the inbound connection , so eventuall i will allow few hosts to access my internal network. The specified ACL will be applied on the outside interface of the route in the inbound direction . The only issue in my mind is , would this ACL will block the inbound traffic access which is generated in response of the request generated by the internal host like FTP request from inside to out side HTTP request POP request would that be blocked ?

Expert openion required.

Thanks in advance.

Depends on your acl. But with a basic acl if you apply an acl inbound to the outside interface yes you would need to allow rules to allow the return traffic. This can be problematic especially with the internet because you end up having to add more and more rules to the acl to account for return traffic.

Ignoring the "established" keyword the next step up is reflexive acl's which will dynamically allow the outbound traffic back in. The next step up from that is a stateful firewall which will do what reflexive acl's can do but a lot more as well in terms of inspection of traffic etc.

If you are connecting to the internet you really should be looking at a stateful firewall to protect your internal LAN whether that be a dedicated firewall such as the ASA or the firewall feature set on a router.

Jon

Cisco Employee

Re: ACL Reflex, Inspect or Simple

Hello,

Good day It depends, really really really depends. If you have an ASA firewall, as long as you have a NAT translation to go out (supposing that you have the inside network with a security level 100 and the outside as 0) everything going to the internet will be permitted, and all inbound traffic will be denied by default, no access list needed. In order to allow traffic you only need to apply one access list inbound on the outside interface in order to allow the traffic coming in. The ASA has inspections for FTP and so on so all the access will be permitted and inspected and also if any new data channel needs to be opened the firewall will do it dynamically.

On a router environment, you can accomplish this as well really easy doing CBAC and making your life a lot easy. You basically will have an inspection applied outbound and then the acl applied inbound denying all the traffic or permitting the things that you need. Then, the inspections will do the same thing as they do on the firewall, if protocols like FTP need to open a new data channel it will be done automatically.


In both cases using inspection, as long as the traffic is being inspected, the return traffic always will be allowed.

Here is a basic configuration for CBAC supposing int fa 4 is the outside

Ip inspect FW tfp

ip inspect FW udp

Ip inspect FW tcp

access-list 101 deny ip any any

int fa 4

ip inspect FW out

ip access-group 101 in

If you have any doubts, please feel free to post.

Mike.

Mike
New Member

Re: ACL Reflex, Inspect or Simple

Thanks Maykol

SO you think inspect will work fine for my scenerion and wouter will act as a statefull firewall.

Also is it possible to see all the outbound traffic and than the response to fine out if it is blocked or not.

Thanks

Cisco Employee

Re: ACL Reflex, Inspect or Simple

You can do "sh ip inspect sessions" to see the established sessions that are allowed.

You can enabled "ip log drop pack" to see the dropped inbound packets in the logs.

I hope it helps.

PK

Cisco Employee

Re: ACL Reflex, Inspect or Simple

Hello,

Yes, Panos is totally right. That is the way how you check the sessions that are being allowed, and with the ip inspect log drop-pkt and doing a term mon, you will be able to see what is being deny.

Hope this makes sense.

Any doubts please let me know.

Mike.

Mike
673
Views
0
Helpful
5
Replies
This widget could not be displayed.