Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2519
Views
0
Helpful
7
Replies

ACL for internet

Joli Martinez
Level 1
Level 1

‎01-24-2012 06:38 PM - edited ‎03-04-2019 03:01 PM

I have a small setup and I want to create an ACL to block all internet traffic incomming, but allow all outgoing traffic.   What would you recommend for the Inbound acl?

Labels:
0 Helpful
7 Replies 7

karloreborn
Level 1
Level 1

‎01-24-2012 07:14 PM

As a beginner, all I can say is to use the established keyword, i.e

"access-list 100 permit ip any any established"

But a better approach to that is to use a reflexive ACL

0 Helpful

Vivek Ganapathi
Level 4
Level 4

‎01-24-2012 07:15 PM

Hi Joli,

If you tend to block ALL incoming internet traffic, then you would neither get the return traffic back from internet. What i mean to say is. If you were to attempt accessing an URL from your LAN, it wont work, because your ACL will block the return traffic back from the server you attempted connection.

If your intention is to restrict access to certain services you have published on internet, then you can create specific ACLs to allow only those service. For example : You have a server 192.168.1.100 (example) published on internet which has only HTTPS service, then you can go ahead & create an ACL like below

ip access-list extended INBOUND_TRAFFIC_INTERNET_IN

permit tcp any host 192.168.1.100 eq https

deny ip any any

NOTE : Don't copy paste this line. This is just an example, you may need to tune it according to your requirement.

But If you are looking to secure your network, then prefer to have an application intelligent firewall / IPS which actually monitors each packet.

Hope i was clear & it was helpful.

Thanks

Vivek

*Please rate helpful posts

0 Helpful

Vivek Ganapathi
Level 4
Level 4
In response to Vivek Ganapathi

‎01-24-2012 07:22 PM

To Add,

Probably one more thing to consider would be to block spoofing attacks by denying all the private IP subnets (inbound ACL on internet facing interface in inbound direction). As an example below

deny ip 192.168.0.0 0.0.255.255 any log-input

deny ip 172.16.0.0 0.15.255.255 any log-input

deny ip 10.0.0.0 0.255.255.255 any log-input

deny ip 255.0.0.0 0.255.255.255 any log-input

deny ip 224.0.0.0 31.255.255.255 any log-input

deny ip host 0.0.0.0 any log-input

deny ip any log-input

deny ip host any log-input

0 Helpful

Joli Martinez
Level 1
Level 1
In response to Vivek Ganapathi

‎01-24-2012 07:23 PM

I would need access to the internet from my LAN and allow icmp from the WAN.  I would like to secure my internet as much as possible with an 871 router.

0 Helpful

Vivek Ganapathi
Level 4
Level 4
In response to Joli Martinez

‎01-24-2012 07:48 PM

Reflexive ACLs are an option here as well. This can help protect your network to some extent by blocking Spoof & DDoS attacks. But its really not a full-fledged firewall & also very CPU intensive.

There is a nice write up on the below site which can help you understand RACLs.

http://www.netcraftsmen.net/resources/archived-articles/432.html

Thanks

Vivek

0 Helpful

Kodandarao.Allipilli
Level 1
Level 1
In response to Joli Martinez

‎01-24-2012 09:37 PM

Hi Joli,

Assumptions:

  • internal network: 63.36.9.0
  • access-list 101: Applied to traffic leaving the office      (outgoing)
  • access-list 102: Applied to traffic entering the office      (incoming)

ACL 101

access-list 101 permit tcp 63.36.9.0 0.0.0.255 any eq 80

ACL 101 says to permit traffic originating from any address on the 63.36.9.0 network. The 'any' statement means that the traffic is allowed to have any destination address with the limitation of going to port 80 (which is the web port for HTTP).

ACL 102

access-list 102 permit tcp any 63.36.9.0 0.0.0.255 established

access-list 102 permit icmp any 63.36.9.0 0.0.0.255 established

Since you only want your users to be able to browse the Internet, you must block all incoming traffic accept for the established connections in which the websites are replying to a computer on your network. Doing this is impossible unless you use the 'established' command.

Activating an Access Control List

In or Out

int ser0/0

access-group 101 out

access-group 102 in

Thanks

KodandaRao, -  *Please rate helpful posts

0 Helpful

normbeef
Level 1
Level 1

‎01-25-2012 04:31 AM

You are using an 877 router so this should support a stateful  firewall configuration :

Step 1:

Create an access list for the outside interface of your router denying all access inbound from the internet :

access list 101 deny any any

(if you want anything "initiated" inbound  from the internet  to your site you will need to add them into this ACL)

Step 2

Create your "stateful" inspection rules for each "protocol" you want to be allowed out to the internet:

conf t

(config)# ip inspect name firewall udp

(config)# ip inspect name firewall tcp

(whatever you want to inspect)

Step 3

Add the deny ACL to the internet facing interface (inbound)

conf t

(config)#int s0/0/0

(config)#access-group 101 in

Add the inspection rules to the inside interface of your router (or Vlan) outbound

conf t

(config)#int vlan 1

(config)#ip inspect firewall out

Hey presto..  your have a firewall...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card