Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco ACL's example to deny incoming SYN packets from outside network (Internet)

Posted on 2003-11-15
2
Medium Priority
?
967 Views
Last Modified: 2008-02-26
Below is an access list from a security book I am reading,

access-list 110 deny tcp any any established
access-list 110 permit tcp any any

interface s0
access-group 110 in  (this is the Internet interface)


If I want to deny incoming tcp traffic other than for established sessions should the access be as follows?

access-list 110 permit tcp any any established

interface s0
access-group 110 in

It seems to me the first access list will deny the returning packets and since a ACL will deny by default, why do I need the 'deny' at all in the first list?

Thanks,
Jerri
0
Comment
Question by:benje02
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 400 total points
ID: 9756425
You are correct in that the first example is backward and is actually blocking what you want to permit (the return traffic to outbound requests). It appears to only permit unsolicited inbound tcp connection requests.

Your 2nd example will permit inbound tcp connections in response to outbound requests, but you will not be able to do things like dns name resolution and you will block icmp inreachables which can have unintended results.

This is they way I typically setup an access list

access-list 110 permit tcp any any established
access-list 110 permit udp any eq 53 any
access-list 110 permit icmp any any unreachables
access-list 110 deny ip any any log  <-- you have to add the line for the "log" keyword --helps in troubleshooting



0
 

Author Comment

by:benje02
ID: 9757259
Thanks for the help.  You guys are great!  
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question