Cisco IOS ACL Configuration

Could someone please give me some hints and tips about applying ACLs on a router to allow packets outward from a subnet within a vlan, but to block all incoming packets to that subnet? Thanks.

Reply to
Loading thread data ...

To confirm: you do not want that subnet to be able to use TCP, or do DNS resolution, or NTP -- you just want it to be able to send traffic without ever getting any response to the traffic ?

Reply to
Walter Roberson

The subnet in question needs to talk to other subnets on the network outbound only. incoming ip packets need to be blocked. For example, there are three subnets -, and on a LAN. would need to have full IP access to the other two subnets on outbound only, but must not allow any incoming IP traffic from any other subnets on the LAN. Hope that makes it clearer. Thanks in advance.

Reply to

So then you do want to be send-only, not able to receive any traffic, just as if the receive wire had been snipped?

If that is not what you want, then recall that in order for to receive a reply to something that had sent out, that the reply packet would be "inbound" towards

Then consider that except for TCP (and some protocols not often implemented), response packets are officially considered "new" flows rather than "replies". For example, if you send a NETBIOS query (UDP

137) to somewhere, then you might get a number of packets in return and those packets might show up anywhere from milliseconds to centidays later -- and at the header level, those packets will be indistinguishable from the remote system spontaneously deciding to send packets to that port.

If snipping the electronic wire is not what you wanted, then what you want is not a static ACL on a router: you want a 'stateful' firewall.

If your router happens to include the Firewall Feature Set, then you can use that. If it doesn't, and if you can put up with higher risk, then you might be able to use "reflexive" ACLs on your router.

formatting link
A stateful firewall will track state such as TCP sequence numbers where reflexive ACLs only work based upon IPs and ports. A Cisco PIX, for example, will randomize the sequence numbers to prevent ISN (Initial Sequence Number) Prediction (a technique used to hijack TCP connections.)

Reply to
Walter Roberson Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.