Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1454
Views
0
Helpful
11
Replies

Simple ACL outside interface

Go to solution
dan.letkeman
Level 4
Level 4

‎09-09-2013 02:30 PM - edited ‎03-11-2019 07:35 PM

Hello,

Does a router require a Firewall license in order to apply an ACL in the inward direction on an outside interface?  I have a router which I use to NAT our internal network and I want to apply a simple ACL to block unwanted access to the router from the internet.  As soon as this ACL is applied the users cannot browse the internet.  I do have a couple of other ISR routers with a firewall license and I use the inspect commands.  This is an ASR which may be different, but I do not have the firewall license applied to this router.

Any help would be great.

Thanks,

Dan.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to dan.letkeman

‎09-10-2013 12:09 PM

Hello Dan,

The thing is that with the configuration you are denying HTTP , HTTPs, FTP, etc ,etc.

Is that what you are looking for, cause with that you will not allow access to any website.

My recomendation would be to use an inspection engine such as ZBFW that allows you to protect the internal network from outside users while still allowing all traffic from Inside to Outside.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
11 Replies 11

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎09-09-2013 02:38 PM

Hello,

No need for the ACL,

You can provide us the configuration and then we will analize it for you

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
dan.letkeman
Level 4
Level 4
In response to Julio Carvajal

‎09-10-2013 07:39 AM

Ok, so what do you use to secure the router?

There is nothing notable about the config.  Inside interface, outside interface and nat in between.

interface GigabitEthernet0/0/0

description Outside Interface

ip address 64.64.20.64 255.255.255.128 secondary

ip address 37.7.7.8 255.255.255.252

ip nat outside

negotiation auto

cdp enable

ip virtual-reassembly

!

interface GigabitEthernet0/0/1

description Inside Interface

ip address 10.110.1.1 255.255.255.0

ip nat inside

negotiation auto

cdp enable

no ip virtual-reassembly

ip nat pool pool-159.1 64.64.20.64 64.64.20.64 netmask 255.255.255.128

ip nat inside source list ip-nat-159.1 pool pool-159.1 overload

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to dan.letkeman

‎09-10-2013 08:58 AM

Hello Dan,

I meant no need for a license in order to use ACLs.

Can you share the configuration you have when the issue happens?

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
dan.letkeman
Level 4
Level 4
In response to Julio Carvajal

‎09-10-2013 12:00 PM

Ah ok, then I belive I must do some troubleshooting with the ACL then.  I'm sure I am blocking something that is needed.  I am basically denying everything except the traffic from our ISP for our BGP peer.

10 permit ip 64.64.0.0 0.0.255.255 any (8866 matches)

30 permit udp any any eq ntp (4916 matches)

40 permit icmp any any echo-reply (9685 matches)

50 permit udp any any eq domain (477 matches)

60 permit tcp any any eq domain (13 matches)

1000 deny ip any any log (49238 matches)

Thanks,

Dan.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to dan.letkeman

‎09-10-2013 12:09 PM

Hello Dan,

The thing is that with the configuration you are denying HTTP , HTTPs, FTP, etc ,etc.

Is that what you are looking for, cause with that you will not allow access to any website.

My recomendation would be to use an inspection engine such as ZBFW that allows you to protect the internal network from outside users while still allowing all traffic from Inside to Outside.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
dan.letkeman
Level 4
Level 4
In response to Julio Carvajal

‎09-10-2013 12:22 PM

Yes I agree, unfortunetly that would requre a license.

Dan.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to dan.letkeman

‎09-10-2013 12:26 PM

Hello Dan,

Yeah, you could also try to use reflexive ACLs but that's certanly not as scalable as the ZBFW option.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
dan.letkeman
Level 4
Level 4
In response to Julio Carvajal

‎09-10-2013 12:36 PM

Very interesting.  I will look into this some more.  As far as not being as scalable are there certain gotcha's with these ACl's?

0 Helpful

Go to solution
dan.letkeman
Level 4
Level 4
In response to Julio Carvajal

‎09-10-2013 07:26 PM

Looks like reflexive acl's are also not an option without a license.

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to dan.letkeman

‎09-10-2013 09:00 AM

Hi,

either you use CBAC with the inspect commands and an inbound ACL on the WAN interface or you can use ZBF(zone Based Firewall) and in this case you don't need any ACL inbound on the WAN interface.

Can you tell us which ISR you've got so we can tell you which IOS/licence you need for the firewall feature(CBAC or ZBF).

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
dan.letkeman
Level 4
Level 4
In response to cadet alain

‎09-10-2013 12:01 PM

Its not an ISR its and ASR as posted on the first post.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card