1. Home
  2. Networking Firewalls
  3. Cisco IOS ACL Configuration

Cisco IOS ACL Configuration

Could someone please give me some hints and tips about applying ACLs on

a router to allow packets outward from a subnet within a vlan, but to block all incoming packets to that subnet? Thanks.

Reply to
Stokes
Loading thread data ...

This thread is already proceeding in comp.dcom.sys.cisco .

It is also not really appropriate in comp.security.firewalls, as you specified that you are using a Cisco IOS *router*, not a firewall.

Reply to
Walter Roberson

Packet filtering is a pretty common technique in firewalling.

Wolfgang

Reply to
Wolfgang Kueter

*Stateful* packet filtering is common in firewalling, but Cisco IOS ACLs are *state-less* packet filtering. That's not firewalling.
Reply to
Walter Roberson

Walter Roberson schrieb:

Wrong. Firewalling consists of several techniques operating on different network layers using packet filters, application or circuit level proxies, and content scanners. Packet filters maybe well be stateless or stateful. While I agree that routers are not the best devices for that purpose they can (and do) act as filtering devices and act as an addional line of defense. Of course there has been a evolution in packet filters and today a lot of them will be stateful but stateless filters are still in use.

Wolfgang

Reply to
Wolfgang Kueter

Some of the Cisco routers are firewalls...at least if you load the proper IOS image.

Reply to
gray.wizard

There is no IOS image that will make a Cisco router a firewall: there are only IOS images that add firewall features.

The primary purpose of Cisco IOS is to route, and it will do so unless instructed otherwise and even then only provided that there aren't any feature interactions that result in routing through unexpected paths. IOS -wants- to route, and will essentially look for excuses to route.

The primary purpose of a good firewall is to block traffic that is not specifically permitted. Firewalls want to block, and will essentially look for excuses to do so.

Reply to
Walter Roberson

There are enough firewall features added to enable the IOS firewall images to enable them to be classified as ICSA-certified firewalls. That certification is enough to make me think that my Cisco router IS a 'real' firewall as its firewall has been certified by a well-known authority on the subject.

Which is the behavior my Cisco unit exhibits when I have it loaded with the base IOS image.

Which is the behavior my Cisco unit exhibits when I have it loaded with the Advanced IP Services IOS image. Everything is locked up tight as a drum unless I specifically enable traffic.

You may say my Cisco router does not have a real firewall, but both Cisco & the ICSA Labs do.

Reply to
gray.wizard

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.