[c-nsp] cisco ACL filter outbound only

Mike mike+lists at yourtownonline.com
Tue Sep 15 10:40:49 EDT 2020 

On 9/15/20 3:12 AM, Nick Hilliard wrote:
> Mike wrote on 15/09/2020 02:17:
>>      I have some gear that needs a public ip, but does not have the best
>> security profile, and I want to put up an ACL that only permits this
>> gear to make outbound connections while dropping all inbound. My router
>> is an ASR920 running IOS-XE 03.17.03.S. Does anyone have a simple
>> copy/paste acl for this type of job?
>
> you're mixing up a packet filtering ACL with a firewall ACL.
>
> A packet filter with this sort of ACL will block all inbound traffic,
> i.e. the performance will be terrific but everything will break
> because return traffic will be blocked (e.g. tcp syns/acks, etc).
>
> A firewall rule will enable dynamic outbound state management, which
> seems to be what you want, but the ASR920 doesn't support it.
>
> You need a firewall for this, not a router.
>
> Nick


I ask because online cisco docs as well as the command line indicate
support for matching 'established' connections, as well as combinations
of flags:

rvhs-asr920(config-ext-nacl)#permit tcp 0.0.0.0 0.0.0.0 any ?
  ack          Match on the ACK bit
  dscp         Match packets with given dscp value
  eq           Match only packets on a given port number
  established  Match established connections
  fin          Match on the FIN bit
  fragments    Check non-initial fragments
  gt           Match only packets with a greater port number
  log          Log matches against this entry
  log-input    Log matches against this entry, including input interface
  lt           Match only packets with a lower port number
  match-all    Match if all specified flags are present
  match-any    Match if any specified flag is present
  neq          Match only packets not on a given port number
  option       Match packets with given IP Options value
  precedence   Match packets with given precedence value
  psh          Match on the PSH bit
  range        Match only packets in the range of port numbers
  rst          Match on the RST bit
  syn          Match on the SYN bit
  time-range   Specify a time-range
  tos          Match packets with given TOS value
  ttl          Match packets with given TTL value
  urg          Match on the URG bit
  <cr>


It just seems to me that it is indeed possible using the above to put it
together. Is this all just non-working on this platform?


Mike-

More information about the cisco-nsp mailing list