Cisco IOS ACL Configuration

- S
- Stokes
  
  Contact options for registered users
posted
17 years ago

Tue, May 9, 2006 12:11 PM

Could someone please give me some hints and tips about applying ACLs on a router to allow packets outward from a subnet within a vlan, but to block all incoming packets to that subnet? Thanks.

- W
- Walter Roberson
  
  Contact options for registered users
Vote on answer
posted
17 years ago

Tue, May 9, 2006 5:36 PM

To confirm: you do not want that subnet to be able to use TCP, or do DNS resolution, or NTP -- you just want it to be able to send traffic without ever getting any response to the traffic ?

- S
- Stokes
  
  Contact options for registered users
Vote on answer
posted
17 years ago

Tue, May 9, 2006 6:45 PM

The subnet in question needs to talk to other subnets on the network outbound only. incoming ip packets need to be blocked. For example, there are three subnets - 1.1.2.0/24, 1.2.3.0/24 and 1.3.4.0/24 on a LAN. 1.1.2.0/24 would need to have full IP access to the other two subnets on outbound only, but 1.1.2.0/24 must not allow any incoming IP traffic from any other subnets on the LAN. Hope that makes it clearer. Thanks in advance.

- W
- Walter Roberson
  
  Contact options for registered users
Vote on answer
posted
17 years ago

Tue, May 9, 2006 11:40 PM

So then you do want 1.1.2.0/24 to be send-only, not able to receive any traffic, just as if the receive wire had been snipped?

If that is not what you want, then recall that in order for

1.1.2.0/24 to receive a reply to something that 1.1.2.0/24 had sent out, that the reply packet would be "inbound" towards 1.1.2.0/24.

Then consider that except for TCP (and some protocols not often implemented), response packets are officially considered "new" flows rather than "replies". For example, if you send a NETBIOS query (UDP

137) to somewhere, then you might get a number of packets in return and those packets might show up anywhere from milliseconds to centidays later -- and at the header level, those packets will be indistinguishable from the remote system spontaneously deciding to send packets to that port.

If snipping the electronic wire is not what you wanted, then what you want is not a static ACL on a router: you want a 'stateful' firewall.

If your router happens to include the Firewall Feature Set, then you can use that. If it doesn't, and if you can put up with higher risk, then you might be able to use "reflexive" ACLs on your router.

formatting link

A stateful firewall will track state such as TCP sequence numbers where reflexive ACLs only work based upon IPs and ports. A Cisco PIX, for example, will randomize the sequence numbers to prevent ISN (Initial Sequence Number) Prediction (a technique used to hijack TCP connections.)