[c-nsp] cisco ACL filter outbound only

Brian Turnbow b.turnbow at twt.it
Tue Sep 15 11:08:03 EDT 2020


> 
> It just seems to me that it is indeed possible using the above to put it
> together. Is this all just non-working on this platform?
> 

The difference is in connection state.
An ACL does not track it so you can do
Permit tcp any any established 
Inbound or outbound on a port , but that will only check that the ip packet has  ack or rst set for the tcp session  .
I can still send you an inbound tcp packet with ack or rst  set even if it did not originate from "inside" and pass your filter.
It will also not help in any way for udp etc
The ACL does not know that a first packet was sent out so it should await a response 
This is why you need a firewall be it on the router or external.

Brian 





More information about the cisco-nsp mailing list