09-09-2013 02:30 PM - edited 03-11-2019 07:35 PM
Hello,
Does a router require a Firewall license in order to apply an ACL in the inward direction on an outside interface? I have a router which I use to NAT our internal network and I want to apply a simple ACL to block unwanted access to the router from the internet. As soon as this ACL is applied the users cannot browse the internet. I do have a couple of other ISR routers with a firewall license and I use the inspect commands. This is an ASR which may be different, but I do not have the firewall license applied to this router.
Any help would be great.
Thanks,
Dan.
Solved! Go to Solution.
09-10-2013 12:09 PM
Hello Dan,
The thing is that with the configuration you are denying HTTP , HTTPs, FTP, etc ,etc.
Is that what you are looking for, cause with that you will not allow access to any website.
My recomendation would be to use an inspection engine such as ZBFW that allows you to protect the internal network from outside users while still allowing all traffic from Inside to Outside.
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
09-09-2013 02:38 PM
Hello,
No need for the ACL,
You can provide us the configuration and then we will analize it for you
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
09-10-2013 07:39 AM
Ok, so what do you use to secure the router?
There is nothing notable about the config. Inside interface, outside interface and nat in between.
interface GigabitEthernet0/0/0
description Outside Interface
ip address 64.64.20.64 255.255.255.128 secondary
ip address 37.7.7.8 255.255.255.252
ip nat outside
negotiation auto
cdp enable
ip virtual-reassembly
!
interface GigabitEthernet0/0/1
description Inside Interface
ip address 10.110.1.1 255.255.255.0
ip nat inside
negotiation auto
cdp enable
no ip virtual-reassembly
ip nat pool pool-159.1 64.64.20.64 64.64.20.64 netmask 255.255.255.128
ip nat inside source list ip-nat-159.1 pool pool-159.1 overload
09-10-2013 08:58 AM
Hello Dan,
I meant no need for a license in order to use ACLs.
Can you share the configuration you have when the issue happens?
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
09-10-2013 12:00 PM
Ah ok, then I belive I must do some troubleshooting with the ACL then. I'm sure I am blocking something that is needed. I am basically denying everything except the traffic from our ISP for our BGP peer.
10 permit ip 64.64.0.0 0.0.255.255 any (8866 matches)
30 permit udp any any eq ntp (4916 matches)
40 permit icmp any any echo-reply (9685 matches)
50 permit udp any any eq domain (477 matches)
60 permit tcp any any eq domain (13 matches)
1000 deny ip any any log (49238 matches)
Thanks,
Dan.
09-10-2013 12:09 PM
Hello Dan,
The thing is that with the configuration you are denying HTTP , HTTPs, FTP, etc ,etc.
Is that what you are looking for, cause with that you will not allow access to any website.
My recomendation would be to use an inspection engine such as ZBFW that allows you to protect the internal network from outside users while still allowing all traffic from Inside to Outside.
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
09-10-2013 12:22 PM
Yes I agree, unfortunetly that would requre a license.
Dan.
09-10-2013 12:26 PM
Hello Dan,
Yeah, you could also try to use reflexive ACLs but that's certanly not as scalable as the ZBFW option.
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
09-10-2013 12:36 PM
Very interesting. I will look into this some more. As far as not being as scalable are there certain gotcha's with these ACl's?
09-10-2013 07:26 PM
Looks like reflexive acl's are also not an option without a license.
09-10-2013 09:00 AM
Hi,
either you use CBAC with the inspect commands and an inbound ACL on the WAN interface or you can use ZBF(zone Based Firewall) and in this case you don't need any ACL inbound on the WAN interface.
Can you tell us which ISR you've got so we can tell you which IOS/licence you need for the firewall feature(CBAC or ZBF).
Regards
Alain
Don't forget to rate helpful posts.
09-10-2013 12:01 PM
Its not an ISR its and ASR as posted on the first post.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: