If you tend to block ALL incoming internet traffic, then you would neither get the return traffic back from internet. What i mean to say is. If you were to attempt accessing an URL from your LAN, it wont work, because your ACL will block the return traffic back from the server you attempted connection.
If your intention is to restrict access to certain services you have published on internet, then you can create specific ACLs to allow only those service. For example : You have a server 192.168.1.100 (example) published on internet which has only HTTPS service, then you can go ahead & create an ACL like below
ip access-list extended INBOUND_TRAFFIC_INTERNET_IN
permit tcp any host 192.168.1.100 eq https
deny ip any any
NOTE : Don't copy paste this line. This is just an example, you may need to tune it according to your requirement.
But If you are looking to secure your network, then prefer to have an application intelligent firewall / IPS which actually monitors each packet.
access-list 101: Applied to traffic leaving the office (outgoing)
access-list 102: Applied to traffic entering the office (incoming)
access-list 101 permit tcp 188.8.131.52 0.0.0.255 any eq 80
ACL 101 says to permit traffic originating from any address on the 184.108.40.206 network. The 'any' statement means that the traffic is allowed to have any destination address with the limitation of going to port 80 (which is the web port for HTTP).
access-list 102 permit tcp any 220.127.116.11 0.0.0.255 established
access-list 102 permit icmp any 18.104.22.168 0.0.0.255 established
Since you only want your users to be able to browse the Internet, you must block all incoming traffic accept for the established connections in which the websites are replying to a computer on your network. Doing this is impossible unless you use the 'established' command.
This document gives several answers on frequently asked questions for PFRv3 channel state behavior.
Q1: What are all the channel operational states from a BR (border role) perspective and what are the rules/conditions to be in each st...
The need was to reach an host inside a LAN through a VPN connection managed by the LAN gateway (Cisco 1921).
The LAN gateway performs NAT and there was a dedicate nat rule for the host i wanted to reach through VPN.
I couldn't connect to the hos...
We have 3 identical switches configured by someone else and would like to claim some of the Gigabit ports(G1/G2/G3/G4) for use on servers. When we try to change the wiring and configuration, we run in to connectivity issues. Attached is a des...