Cisco IOS ACL Configuration

Discussion in 'Cisco' started by Stokes, May 9, 2006.

  1. Stokes

    Stokes Guest

    Could someone please give me some hints and tips about applying ACLs on
    a router to allow packets outward from a subnet within a vlan, but to
    block all incoming packets to that subnet? Thanks.
    Stokes, May 9, 2006
    #1
    1. Advertising

  2. In article <>,
    Stokes <9.co.uk> wrote:
    >Could someone please give me some hints and tips about applying ACLs on
    >a router to allow packets outward from a subnet within a vlan, but to
    >block all incoming packets to that subnet? Thanks.


    To confirm: you do not want that subnet to be able to use TCP,
    or do DNS resolution, or NTP -- you just want it to be able to
    send traffic without ever getting any response to the traffic ?
    Walter Roberson, May 9, 2006
    #2
    1. Advertising

  3. Stokes

    Stokes Guest

    Walter Roberson wrote:
    > In article <>,
    > Stokes <9.co.uk> wrote:
    > >Could someone please give me some hints and tips about applying ACLs on
    > >a router to allow packets outward from a subnet within a vlan, but to
    > >block all incoming packets to that subnet? Thanks.

    >
    > To confirm: you do not want that subnet to be able to use TCP,
    > or do DNS resolution, or NTP -- you just want it to be able to
    > send traffic without ever getting any response to the traffic ?

    The subnet in question needs to talk to other subnets on the network
    outbound only. incoming ip packets need to be blocked. For example,
    there are three subnets - 1.1.2.0/24, 1.2.3.0/24 and 1.3.4.0/24 on a
    LAN. 1.1.2.0/24 would need to have full IP access to the other two
    subnets on outbound only, but 1.1.2.0/24 must not allow any incoming IP
    traffic from any other subnets on the LAN. Hope that makes it clearer.
    Thanks in advance.
    Stokes, May 9, 2006
    #3
  4. Stokes

    clven45

    Joined:
    May 9, 2006
    Messages:
    1
    Routing 2 subnets

    Hi,
    Can anyone help me provide a simple solution to route 2 networks with different subnets to be able to see each other ie.. Lan1 192.168.33.x and Lan2 192.168.43.x, is it possible to use a managable switch or it should be a router.
    what devices will best fit to solve this issue.

    Thanx in advance
    clven45, May 9, 2006
    #4
  5. In article <>,
    Stokes <9.co.uk> wrote:
    >
    >Walter Roberson wrote:
    >> In article <>,
    >> Stokes <9.co.uk> wrote:


    >> To confirm: you do not want that subnet to be able to use TCP,
    >> or do DNS resolution, or NTP -- you just want it to be able to
    >> send traffic without ever getting any response to the traffic ?


    >The subnet in question needs to talk to other subnets on the network
    >outbound only. incoming ip packets need to be blocked. For example,
    >there are three subnets - 1.1.2.0/24, 1.2.3.0/24 and 1.3.4.0/24 on a
    >LAN. 1.1.2.0/24 would need to have full IP access to the other two
    >subnets on outbound only, but 1.1.2.0/24 must not allow any incoming IP
    >traffic from any other subnets on the LAN. Hope that makes it clearer.


    So then you do want 1.1.2.0/24 to be send-only, not able to receive any
    traffic, just as if the receive wire had been snipped?

    If that is not what you want, then recall that in order for
    1.1.2.0/24 to receive a reply to something that 1.1.2.0/24 had
    sent out, that the reply packet would be "inbound" towards
    1.1.2.0/24.

    Then consider that except for TCP (and some protocols not often
    implemented), response packets are officially considered "new" flows
    rather than "replies". For example, if you send a NETBIOS query (UDP
    137) to somewhere, then you might get a number of packets in return and
    those packets might show up anywhere from milliseconds to centidays
    later -- and at the header level, those packets will be indistinguishable
    from the remote system spontaneously deciding to send packets to that
    port.

    If snipping the electronic wire is not what you wanted, then
    what you want is not a static ACL on a router: you want a
    'stateful' firewall.

    If your router happens to include the Firewall Feature Set, then
    you can use that. If it doesn't, and if you can put up with higher
    risk, then you might be able to use "reflexive" ACLs on your router.
    http://www.samag.com/documents/s=1769/sam0112b/0112b.htm

    A stateful firewall will track state such as TCP sequence numbers
    where reflexive ACLs only work based upon IPs and ports. A
    Cisco PIX, for example, will randomize the sequence numbers to prevent
    ISN (Initial Sequence Number) Prediction (a technique used to
    hijack TCP connections.)
    Walter Roberson, May 10, 2006
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Alexandre
    Replies:
    0
    Views:
    8,072
    Alexandre
    Oct 17, 2003
  2. Shad T
    Replies:
    0
    Views:
    572
    Shad T
    Jun 29, 2004
  3. Vimokh
    Replies:
    3
    Views:
    5,599
    Vimokh
    Sep 6, 2006
  4. Mike Rahl
    Replies:
    1
    Views:
    1,201
    Trendkill
    May 30, 2007
  5. pbass83
    Replies:
    2
    Views:
    1,213
    pbass83
    May 17, 2008
Loading...

Share This Page