01-24-2012 06:38 PM - edited 03-04-2019 03:01 PM
I have a small setup and I want to create an ACL to block all internet traffic incomming, but allow all outgoing traffic. What would you recommend for the Inbound acl?
01-24-2012 07:14 PM
As a beginner, all I can say is to use the established keyword, i.e
"access-list 100 permit ip any any established"
But a better approach to that is to use a reflexive ACL
01-24-2012 07:15 PM
Hi Joli,
If you tend to block ALL incoming internet traffic, then you would neither get the return traffic back from internet. What i mean to say is. If you were to attempt accessing an URL from your LAN, it wont work, because your ACL will block the return traffic back from the server you attempted connection.
If your intention is to restrict access to certain services you have published on internet, then you can create specific ACLs to allow only those service. For example : You have a server 192.168.1.100 (example) published on internet which has only HTTPS service, then you can go ahead & create an ACL like below
ip access-list extended INBOUND_TRAFFIC_INTERNET_IN
permit tcp any host 192.168.1.100 eq https
deny ip any any
NOTE : Don't copy paste this line. This is just an example, you may need to tune it according to your requirement.
But If you are looking to secure your network, then prefer to have an application intelligent firewall / IPS which actually monitors each packet.
Hope i was clear & it was helpful.
Thanks
Vivek
*Please rate helpful posts
01-24-2012 07:22 PM
To Add,
Probably one more thing to consider would be to block spoofing attacks by denying all the private IP subnets (inbound ACL on internet facing interface in inbound direction). As an example below
deny ip 192.168.0.0 0.0.255.255 any log-input
deny ip 172.16.0.0 0.15.255.255 any log-input
deny ip 10.0.0.0 0.255.255.255 any log-input
deny ip 255.0.0.0 0.255.255.255 any log-input
deny ip 224.0.0.0 31.255.255.255 any log-input
deny ip host 0.0.0.0 any log-input
deny ip any log-input
deny ip host any log-input
01-24-2012 07:23 PM
I would need access to the internet from my LAN and allow icmp from the WAN. I would like to secure my internet as much as possible with an 871 router.
01-24-2012 07:48 PM
Reflexive ACLs are an option here as well. This can help protect your network to some extent by blocking Spoof & DDoS attacks. But its really not a full-fledged firewall & also very CPU intensive.
There is a nice write up on the below site which can help you understand RACLs.
http://www.netcraftsmen.net/resources/archived-articles/432.html
Thanks
Vivek
01-24-2012 09:37 PM
Hi Joli,
Assumptions:
ACL 101
access-list 101 permit tcp 63.36.9.0 0.0.0.255 any eq 80
ACL 101 says to permit traffic originating from any address on the 63.36.9.0 network. The 'any' statement means that the traffic is allowed to have any destination address with the limitation of going to port 80 (which is the web port for HTTP).
ACL 102
access-list 102 permit tcp any 63.36.9.0 0.0.0.255 established
access-list 102 permit icmp any 63.36.9.0 0.0.0.255 established
Since you only want your users to be able to browse the Internet, you must block all incoming traffic accept for the established connections in which the websites are replying to a computer on your network. Doing this is impossible unless you use the 'established' command.
Activating an Access Control List
In or Out
int ser0/0
access-group 101 out
access-group 102 in
Thanks
KodandaRao, - *Please rate helpful posts
01-25-2012 04:31 AM
You are using an 877 router so this should support a stateful firewall configuration :
Step 1:
Create an access list for the outside interface of your router denying all access inbound from the internet :
access list 101 deny any any
(if you want anything "initiated" inbound from the internet to your site you will need to add them into this ACL)
Step 2
Create your "stateful" inspection rules for each "protocol" you want to be allowed out to the internet:
conf t
(config)# ip inspect name firewall udp
(config)# ip inspect name firewall tcp
(whatever you want to inspect)
Step 3
Add the deny ACL to the internet facing interface (inbound)
conf t
(config)#int s0/0/0
(config)#access-group 101 in
Add the inspection rules to the inside interface of your router (or Vlan) outbound
conf t
(config)#int vlan 1
(config)#ip inspect firewall out
Hey presto.. your have a firewall...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: