Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
232
Views
0
Helpful
3
Replies

access lists on my internet router

carl_townshend
Spotlight
Spotlight

‎02-21-2006 01:35 AM - edited ‎03-03-2019 01:55 AM

On my internet router I expected to see an access list for permitting established connections back into my router, this wasnt the case, it let certain ports in but at the bottom there was a deny any any statement, why would you want a deny all statement to things entering my router from the web ? i thought it would be permtting anything to the net and back on port 80 ?

Labels:
0 Helpful
3 Replies 3

ekiriakos
Level 1
Level 1

‎02-21-2006 04:13 AM

Hi Carl,

As you say, the established keyword on inbound acls is useful, unless if you want to be explicit about what your users can access outside your network. You may also want to have a deny any any at the bottom with the log keyword if you want the router to log what has been denied. It appears that the acl you are referring to explicitely allows protocols in, regardless whether the connection was initiated from inside your network. This may have security implecations, but it depends on what you are trying to achieve. Without looking at the acl and understanding the requirements it is difficult to say whether there is a problem or not.

Personally I favour reflexive acls which are of stateful nature. In this scenario you configure an inbound and an outbound acl. The outbound allows traffic out which is reflected to the inbound. The inbound acl keeps a state of the connection and allows the return traffic in. Note that for functions like traceroute (responses),traffic initiated by the router and inbound connection to your network from the outside you have to explicitely allowd them in.

I find reflexive acls to need fewer entries and can achieve your objective more efficiently and provide greater security in this kind of scenarios.

HTH

E.

0 Helpful

carl_townshend
Spotlight
Spotlight
In response to ekiriakos

‎02-21-2006 05:23 AM

The access list that was setup was automatically done by my router on the web browser config, ive seen some some saying ip inspect etc etc, what is this ? alsocan you give me an example of these reflexive acls ?

thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents