Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

access lists for internet traffic

Can anyone tell me what is the standard for access lists for blocking internet traffic on a router, Do people just have a list just permitting anything outbound and port 80 inbound ? is this right, or do people use CBAC instead ?

thanks

8 REPLIES
Cisco Employee

Re: access lists for internet traffic

Carl,

There is probably as many options as there is people on this list. CBAC or any other form of FW is highly recommended if we are talking about a corporate network.

ACL is not an alternative to a FW solution bu rather a complement.

Hope this helps,

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
Silver

Re: access lists for internet traffic

Carl,

For small networks ACL with established keyword in combination with NAT overload might be sufficient. But I fully agree with the previous reply that it is not the best solution....

Kind regards,

Leo

New Member

Re: access lists for internet traffic

Ok say for example I just have a 1700 in my office for the internet connection, if I am using CBAC do I really need an acl in place, Can anyone show me a quick config for there CBAC config ?

New Member

Re: access lists for internet traffic

Hi Carl:

As in the previous replies, ACLs are normally used to control routing rather than to implementing your company's policies, which are normally enforced by using firewall or proxy.

You can use ACL to do this, but you will have to have numerous permit or deny for ports, protocols, source addresses, destination addresses, etc. You can define all that rather easily in a firewall.

Hope this helps

Gary

New Member

Re: access lists for internet traffic

Is CBAC a firewall ? can you give me an example config and what each command means ?

thanks

Silver

Re: access lists for internet traffic

Carl,

IMHO the answer is no, although not everyone will agree with me. The main difference between regular ACLs and CBAC is that CBAC can inspect up to the application layer, and will statefull inspect for the configured protocols, but it is definately not a impenetratable firewall solution. Check this link for more info on CBAC:

http://www.cisco.com/en/US/customer/products/sw/iosswrel/ps1826/products_feature_guide09186a0080080f4d.html#xtocid13

In case you want to settle for CBAC here are two good link that include CBAC with NAT configuration.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a008009445f.shtml

http://www.ciscotaccc.com/kaidara-advisor/iprout/showcase?case=K10490006

This should get you going :-)

Kind regards,

Leo

Please help improving the netpro forum and rate helpfull info

Re: access lists for internet traffic

Carl,

I was just reviewing your profile do you realize you have 846 posts asking for help with out rating a single persons reply.

Are you just not grateful to the people that provide you with answeres to your questions or just to lazy to rate posts.

Patrick

Silver

Re: access lists for internet traffic

Patrick,

I do believe you are jumping conclusions...

Although you can view the number of posts of any particular user, there is no way (unless you are an administrator of course (which I don't think you are)) that you can view the number of ratings somebody provides to others by just viewing that user's profile, although you can see the number and level one received on the user's post. In fact, I don't believe that one could see who rated who at all in the current setup of the forum.

Had to correct you here, no offense mate ;-)

Leo

121
Views
3
Helpful
8
Replies
CreatePlease to create content