Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Block all inbound, allow outbound?

I've got a simple NAT router. Fa0/0 is outside and Fa0/1 is inside. Inside network is 172.16.1.0/24. Outside network is a single dynamic public IP assigned from the ISP. I'm trying to implement a "Deny by Default" rule set that denies all inbound traffic but allows all outbound traffic, but I can't seem to figure it out. I thought doing something like the following would work but it disables the Internet:

access-list 101 deny tcp any any

access-list 101 deny up any any

Then apply it as "in" on Fa0/0.

Any advice would be great!

Sent from Cisco Technical Support iPad App

10 REPLIES
Cisco Employee

Block all inbound, allow outbound?

Hi,

It is not going to work. Basically replies are also tcp packets that are going to be potentially be denied by this rule. How to overcome this issue? Make it stateful, meaning, established sessions from the inside, their return packets are going to be allowed, however, sessions that were not initiated on the inside network rather than being accessed from the outside, they are going to be denied.

Apply this

ip inspect name FW tcp

ip inspect name FW udp

ip inspect name FW icmp

access-list 101 deny ip any any

int fa 0/0

ip inspect FW out

ip access-group 101 in

Let me know how it goes.

Mike

Mike
New Member

Re: Block all inbound, allow outbound?

Wow awesome that makes sense... I'll go give it a shot!

Sent from Cisco Technical Support iPad App

New Member

Re: Block all inbound, allow outbound?

Nice that worked well... Any reason I wouldn't do:

ip inspect name FW ip

access-list 101 deny ip any any

int Fa0/0

ip inspect FW out

ip access-group 101 in

Just curious. Thanks so much for your help, didn't know about that inspect function.

Sent from Cisco Technical Support iPad App

New Member

Re: Block all inbound, allow outbound?

I bet your going to say because only tcp, udp, and icmp can be stateful, just a guess this isn't what I'm an expert in

Sent from Cisco Technical Support iPad App

New Member

Hi !

Hi !

Is there any way to archive this WITHOUT using ip inspect and use ONLY access-lists ? I mean to block all inbound traffic but allow all outgoing.

Thanks.

Cisco Employee

Block all inbound, allow outbound?

Well basically because there is no general IP inspection. You see, inspection work checking different information under the layer 3/4 in order to keep track of a session. For example in UDP and tcp you grab the Source IP and destination IP plus source and destination ports, with ICMP you grab the same, source IP destination IP and the code (Echo, echo reply and such)

If there was such thing like inspect IP, it would only grab source and destination ip address no matter if the packets belong to a valid session or not. What Cisco wanted to do is just to keep real and good track of each session to avoid attacks.

Kinda deep, if you want to check more about inspections, whenever you have time, you can take quick look on the following:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml

Glad I could help a bit.

Mike

Mike
Cisco Employee

Block all inbound, allow outbound?

Nahh, its alright... first time I saw it it took me several sleepless nights just to understand it... been there donde that....

Mike
New Member

Re: Block all inbound, allow outbound?

Thanks again, this community is so supportive, full of people like you who really want to help and educate.

Sent from Cisco Technical Support iPad App

Cisco Employee

It can be done, however only

It can be done, however only with TCP traffic, using the "established" keyword. 

Mike
New Member

I also just found the

I also just found the solution of reflexive access list !

https://supportforums.cisco.com/document/84441/reflexive-access-list-ios

625
Views
0
Helpful
10
Replies
CreatePlease login to create content