Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Router ACL Security Question???

                     Hello All,

I have a  2851 ISR Router and this router needs to act as a firewall. I do not have a firewall between my inside network and out internet. Can anyone tell me how to go about denying traffic from the outside to my inside network using a simple ACL while allowing all other traffic defined in my other ACL'S?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Router ACL Security Question???

If you want to just permit a few things and deny everything else, you should avoid the permit ip any any.

The implicit deny will take care of everything not specified in the ACL as permit.

You need to careful because only traffic specified in the ACL will be able to pass through the router.

The IOS Firewall feature is nice because the router will allow traffic to pass through and allow the replies back even though they are not explicitly permitted in the ACL. So, the router keeps a stateful table for the connections (turn it into a sort of Firewall).

Federico.

4 REPLIES

Re: Router ACL Security Question???

Hi,

You can create an ACL where you first define all the traffic that is permitted. Then everything that is not specified in the ACL is going to be denied by default.

Depending on the IOS, you can configure ZBF which essentially turns the router in an IOS Firewall device.

Federico.

New Member

Re: Router ACL Security Question???

So are you saying I need to avoid using the permit ip any any statement? This way the implicit deny will block everything else.

Re: Router ACL Security Question???

If you want to just permit a few things and deny everything else, you should avoid the permit ip any any.

The implicit deny will take care of everything not specified in the ACL as permit.

You need to careful because only traffic specified in the ACL will be able to pass through the router.

The IOS Firewall feature is nice because the router will allow traffic to pass through and allow the replies back even though they are not explicitly permitted in the ACL. So, the router keeps a stateful table for the connections (turn it into a sort of Firewall).

Federico.

New Member

Re: Router ACL Security Question???

           Thanks.

147
Views
0
Helpful
4
Replies