[c-nsp] cisco ACL filter outbound only

Nick Griffin nick.jon.griffin at gmail.com
Tue Sep 15 11:01:11 EDT 2020 

It would probably help if you elaborated on what type of connections will be established through/from the device in question. 

Sent from my iPhone

> On Sep 15, 2020, at 9:45 AM, Mike <mike+lists at yourtownonline.com> wrote:
> 
> On 9/15/20 3:12 AM, Nick Hilliard wrote:
>> Mike wrote on 15/09/2020 02:17:
>>>      I have some gear that needs a public ip, but does not have the best
>>> security profile, and I want to put up an ACL that only permits this
>>> gear to make outbound connections while dropping all inbound. My router
>>> is an ASR920 running IOS-XE 03.17.03.S. Does anyone have a simple
>>> copy/paste acl for this type of job?
>> 
>> you're mixing up a packet filtering ACL with a firewall ACL.
>> 
>> A packet filter with this sort of ACL will block all inbound traffic,
>> i.e. the performance will be terrific but everything will break
>> because return traffic will be blocked (e.g. tcp syns/acks, etc).
>> 
>> A firewall rule will enable dynamic outbound state management, which
>> seems to be what you want, but the ASR920 doesn't support it.
>> 
>> You need a firewall for this, not a router.
>> 
>> Nick
> 
> 
> I ask because online cisco docs as well as the command line indicate
> support for matching 'established' connections, as well as combinations
> of flags:
> 
> rvhs-asr920(config-ext-nacl)#permit tcp 0.0.0.0 0.0.0.0 any ?
>   ack          Match on the ACK bit
>   dscp         Match packets with given dscp value
>   eq           Match only packets on a given port number
>   established  Match established connections
>   fin          Match on the FIN bit
>   fragments    Check non-initial fragments
>   gt           Match only packets with a greater port number
>   log          Log matches against this entry
>   log-input    Log matches against this entry, including input interface
>   lt           Match only packets with a lower port number
>   match-all    Match if all specified flags are present
>   match-any    Match if any specified flag is present
>   neq          Match only packets not on a given port number
>   option       Match packets with given IP Options value
>   precedence   Match packets with given precedence value
>   psh          Match on the PSH bit
>   range        Match only packets in the range of port numbers
>   rst          Match on the RST bit
>   syn          Match on the SYN bit
>   time-range   Specify a time-range
>   tos          Match packets with given TOS value
>   ttl          Match packets with given TTL value
>   urg          Match on the URG bit
>   <cr>
> 
> 
> It just seems to me that it is indeed possible using the above to put it
> together. Is this all just non-working on this platform?
> 
> 
> Mike-
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list