[c-nsp] cisco ACL filter outbound only

Emille Blanc emille at abccommunications.com
Tue Sep 15 12:20:10 EDT 2020 

>     Again, the cli seems to indicate support for all the things
> necessary, which includes the idea of 'established', which is why I ask
> if THIS platform does in fact do what the cli suggests:

No, the ASR920 (Unless it's hiding in a recent IOS release), does not do any kind of state tracking.  You'll be better served looking at the ISR or Firewall families for that.

What you're seeing in the CLI is pretty commonplace these days - to be fair, not just with Cisco - where an un-supported feature is 'left in' the command line.

If in doubt, try it. Worst case it won't work, and then you can bounce the config off TAC to get one of their "unsupported configuration" canned responses. :]
________________________________________
From: cisco-nsp <cisco-nsp-bounces at puck.nether.net> on behalf of Mike <mike+lists at yourtownonline.com>
Sent: Tuesday, September 15, 2020 8:52 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] cisco ACL filter outbound only

On 9/15/20 8:08 AM, Brian Turnbow wrote:
>> It just seems to me that it is indeed possible using the above to put it
>> together. Is this all just non-working on this platform?
>>
> The difference is in connection state.
> An ACL does not track it so you can do
> Permit tcp any any established
> Inbound or outbound on a port , but that will only check that the ip packet has  ack or rst set for the tcp session  .
> I can still send you an inbound tcp packet with ack or rst  set even if it did not originate from "inside" and pass your filter.
> It will also not help in any way for udp etc
> The ACL does not know that a first packet was sent out so it should await a response
> This is why you need a firewall be it on the router or external.
>
Hi,

    Again, the cli seems to indicate support for all the things
necessary, which includes the idea of 'established', which is why I ask
if THIS platform does in fact do what the cli suggests:

rvhs-asr920(config-ext-nacl)#permit tcp 0.0.0.0 0.0.0.0 any ?
  ack          Match on the ACK bit
  dscp         Match packets with given dscp value
  eq           Match only packets on a given port number
  established  Match established connections
  fin          Match on the FIN bit
  fragments    Check non-initial fragments
  gt           Match only packets with a greater port number
  log          Log matches against this entry
  log-input    Log matches against this entry, including input interface
  lt           Match only packets with a lower port number
  match-all    Match if all specified flags are present
  match-any    Match if any specified flag is present
  neq          Match only packets not on a given port number
  option       Match packets with given IP Options value
  precedence   Match packets with given precedence value
  psh          Match on the PSH bit
  range        Match only packets in the range of port numbers
  rst          Match on the RST bit
  syn          Match on the SYN bit
  time-range   Specify a time-range
  tos          Match packets with given TOS value
  ttl          Match packets with given TTL value
  urg          Match on the URG bit
  <cr>

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list