Newbie ACL related/established question
aray
Member Posts: 15 ■□□□□□□□□□
in CCNA & CCENT
Hi All,
I'm trying to work out how to do a "Allow all related/established" on my 837 - ie
if I initiate a TCP connection then return packets are allowed - but any unrelated SYN packets coming in are dropped - And the same for all the other protocols (ICMP, UDP, etc). If I can relate it to the other firewalling experience i've had -
Allow all from the lan (and anything that returns from it) - but deny any new connections/packets from the outside that aren't related.
I've had a hunt around (including the ACL guide on this site) - I have found the 'established' TCP option, but is there anything else (for say UDP) - that if the router can see the session in it's NAT table, then it allows the reply back through?
I hope this makes sense!
Thanks,
Andrew
I'm trying to work out how to do a "Allow all related/established" on my 837 - ie
if I initiate a TCP connection then return packets are allowed - but any unrelated SYN packets coming in are dropped - And the same for all the other protocols (ICMP, UDP, etc). If I can relate it to the other firewalling experience i've had -
Allow all from the lan (and anything that returns from it) - but deny any new connections/packets from the outside that aren't related.
I've had a hunt around (including the ACL guide on this site) - I have found the 'established' TCP option, but is there anything else (for say UDP) - that if the router can see the session in it's NAT table, then it allows the reply back through?
I hope this makes sense!
Thanks,
Andrew
Comments
-
Yankee
Member Posts: 157
yep you can do what you describe if you have an IOS containing the firewall feature set.
Yankee -
aray
Member Posts: 15 ■□□□□□□□□□
Hi,
I have a 837 - IOS (tm) C837 Software (C837-K9O3SY6-M), Version 12.2
I have actually changed my access-list to give me something close to suitable (works for tcp) - but unsure of how to block UDP that isn't also in the NAT table (as outgoing).
My acl at the moment is looking like so...
Thanks!
Andrew
Standard IP access list 10
10 permit 192.168.200.0, wildcard bits 0.0.0.255 (1050 matches)
20 deny any log
Standard IP access list 20
10 permit 192.168.200.0, wildcard bits 0.0.0.255 (8 matches)
20 deny any log
Extended IP access list 100
10 permit ip any any (9158 matches)
Extended IP access list 110
10 permit tcp any 192.168.200.0 0.0.0.255
20 permit tcp any any established (202319 matches)
30 permit tcp any any fin
40 permit tcp any any ack
60 permit tcp any any rst
70 permit udp any any (253658 matches)
80 permit icmp any 192.168.200.0 0.0.0.255
90 permit icmp any any echo-reply (19 matches)
100 deny ip any any log (77 matches)