Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Simple ACL outside interface

Hello,

Does a router require a Firewall license in order to apply an ACL in the inward direction on an outside interface?  I have a router which I use to NAT our internal network and I want to apply a simple ACL to block unwanted access to the router from the internet.  As soon as this ACL is applied the users cannot browse the internet.  I do have a couple of other ISR routers with a firewall license and I use the inspect commands.  This is an ASR which may be different, but I do not have the firewall license applied to this router.

Any help would be great.

Thanks,

Dan.

1 ACCEPTED SOLUTION

Accepted Solutions

Simple ACL outside interface

Hello Dan,

The thing is that with the configuration you are denying HTTP , HTTPs, FTP, etc ,etc.

Is that what you are looking for, cause with that you will not allow access to any website.

My recomendation would be to use an inspection engine such as ZBFW that allows you to protect the internal network from outside users while still allowing all traffic from Inside to Outside.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
11 REPLIES

Simple ACL outside interface

Hello,

No need for the ACL,

You can provide us the configuration and then we will analize it for you

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Simple ACL outside interface

Ok, so what do you use to secure the router?

There is nothing notable about the config.  Inside interface, outside interface and nat in between.

interface GigabitEthernet0/0/0

description Outside Interface

ip address 64.64.20.64 255.255.255.128 secondary

ip address 37.7.7.8 255.255.255.252

ip nat outside

negotiation auto

cdp enable

ip virtual-reassembly

!

interface GigabitEthernet0/0/1

description Inside Interface

ip address 10.110.1.1 255.255.255.0

ip nat inside

negotiation auto

cdp enable

no ip virtual-reassembly

ip nat pool pool-159.1 64.64.20.64 64.64.20.64 netmask 255.255.255.128

ip nat inside source list ip-nat-159.1 pool pool-159.1 overload

Simple ACL outside interface

Hello Dan,

I meant no need for a license in order to use ACLs.

Can you share the configuration you have when the issue happens?

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Simple ACL outside interface

Ah ok, then I belive I must do some troubleshooting with the ACL then.  I'm sure I am blocking something that is needed.  I am basically denying everything except the traffic from our ISP for our BGP peer.

10 permit ip 64.64.0.0 0.0.255.255 any (8866 matches)

30 permit udp any any eq ntp (4916 matches)

40 permit icmp any any echo-reply (9685 matches)

50 permit udp any any eq domain (477 matches)

60 permit tcp any any eq domain (13 matches)

1000 deny ip any any log (49238 matches)

Thanks,

Dan.

Simple ACL outside interface

Hello Dan,

The thing is that with the configuration you are denying HTTP , HTTPs, FTP, etc ,etc.

Is that what you are looking for, cause with that you will not allow access to any website.

My recomendation would be to use an inspection engine such as ZBFW that allows you to protect the internal network from outside users while still allowing all traffic from Inside to Outside.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Simple ACL outside interface

Yes I agree, unfortunetly that would requre a license.

Dan.

Simple ACL outside interface

Hello Dan,

Yeah, you could also try to use reflexive ACLs but that's certanly not as scalable as the ZBFW option.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Simple ACL outside interface

Very interesting.  I will look into this some more.  As far as not being as scalable are there certain gotcha's with these ACl's?

New Member

Simple ACL outside interface

Looks like reflexive acl's are also not an option without a license.

Purple

Simple ACL outside interface

Hi,

either you use CBAC with the inspect commands and an inbound ACL on the WAN interface or you can use ZBF(zone Based Firewall) and in this case you don't need any ACL inbound on the WAN interface.

Can you tell us which ISR you've got so we can tell you which IOS/licence you need for the firewall feature(CBAC or ZBF).

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
New Member

Simple ACL outside interface

Its not an ISR its and ASR as posted on the first post.

178
Views
0
Helpful
11
Replies