Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started.

New Member

ACL on inside LAN - to allow only reply to outside interface request

dear friends..

i want suggestions on best practice... i am doubting that my internal network has some virus or trozen .. and from my router all traffic is allowed from inside to outside .. and from outside only couple of ports and established connections ..

my requirement is .. i want to take out the possibility of my router sending the garbage out to wan link which is actually blocking my link .. what is the best way to do the same... plz advise.. how you guys do in your environment... can we only allow the reply to my ports which i have allowed on my outside wan port.. so at least i will be sure that no etra traffic is going out. please advise.

  • WAN Routing and Switching
Everyone's tags (5)
4 REPLIES

allow only reply from inside LAN to traffic request from outside

I am not too sure if it is really scalable to keep blocking ports. I would recommend a filter device inline with the router which could be scanning the traffic all the time or some inline cards.  You can also check open source solutions like untangle.

Also lets see what other think..

Thanks,

Nandan.

New Member

ACL on inside LAN - to allow only reply to outside interface req

hey nandan now sure if u understood my requirement .. i know this is possible with router.. not getting idea how .. any idea from team ..../

plz advise

ACL on inside LAN - to allow only reply to outside interface req

Hi,

The thing is that the trojan is initiating the traffic from inside , so there is no real use to filter the traffic from the outside to inside. A good think will be to restrict the users to some well known destination ports to the internet : tcp 80 , tcp 443 , tcp 21/20. A better way to offer internet access to the users is Proxy -  you can inspect and restrict the user access.

Dan

New Member

ACL on inside LAN - to allow only reply to outside interface req

hi DAN .. as such i dont have much frm inside to send to outside ... the way my setup is .. i have two rewuirements..

1. exchage .. so ppl connect from outside ... so on, outside port i allowed 443/25 and dns

2. ppl RDP to public ip which are on inside LAN ..

now my requiremnt is no to allow any thing from inside interface to send to outside WAN .. so doing this .. will atleast give me some confidence that the traffic which is gooing out is correct .. any suggestions

461
Views
0
Helpful
4
Replies