Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Need basic ACL security for 804 IDSL router

I don't need to access my home network from the outside, so for security reasons can I just create an ACL which denies everything, and apply it to the "in" of the outside interface? For example:

access-list 1 ip deny any any

access-list 1 tcp deny any any

access-list 1 udp deny any any

access-list 1 icmp deny any any

My external interface (BRI0) has a sub-interface (BRI0.1) - should I apply the ACL to BRI0 or BRI0.1?

Thanks for any help.

3 REPLIES
Cisco Employee

Re: Need basic ACL security for 804 IDSL router

No..you can't apply any configs to bri sub interface. Two bri channels will inherit the configs from interface bri0.

Now speaking on ACL inbound, will deny all the traffic from out to in. so Any reply from internet (like TCP SYN/ACK or any IP) will be blocked. So in other words you can't access the internet with this acl.

You need to know what kind of traffic you need to block and allow. So i would say "allow what you need to allow first and block the rest".

New Member

Re: Need basic ACL security for 804 IDSL router

I wish to only allow traffic which is in response to something which originated from one of my machines, and block everything else - how is that done? I have a range of 32 IP addresses on my network - do I need to use them as the source in the allow? Is it possible to allow a range, or do I have to explicity allow each of the 32 addresses?

Thanks for your help.

Cisco Employee

Re: Need basic ACL security for 804 IDSL router

You can allow communication between your subnet (32 ip addresses) and internet.

Here is the best url which will help you build that

http://www.cisco.com/warp/public/105/ACLsamples.html

One more on configuring

http://www.cisco.com/warp/public/707/confaccesslists.html

You may be doing nat on outside interface right? You can use something like this to tcp port 23 (telnet), http port 80 from inernet, along with ip traffic. You need to create your own.

access-list 101 permit tcp any 10.1.1.0 0.0.0.255 eq 23 established

access-list 101 permit tcp any 10.1.1.0 0.0.0.255 eq 80 established

You need to use "established" keyword with the permit command. The established keyword filters TCP packets based on whether the ACK or RST bits are set. (Set ACK or RST bits indicate that the packet is not the first in the session, and therefore, that the packet belongs to an established session.) It will permit the TCP replies from internet to router for the connection originated from router.

88
Views
0
Helpful
3
Replies
CreatePlease to create content