Solved

Cisco ACL's example to deny incoming SYN packets from outside network (Internet)

Posted on 2003-11-15
2
949 Views
Last Modified: 2008-02-26
Below is an access list from a security book I am reading,

access-list 110 deny tcp any any established
access-list 110 permit tcp any any

interface s0
access-group 110 in  (this is the Internet interface)


If I want to deny incoming tcp traffic other than for established sessions should the access be as follows?

access-list 110 permit tcp any any established

interface s0
access-group 110 in

It seems to me the first access list will deny the returning packets and since a ACL will deny by default, why do I need the 'deny' at all in the first list?

Thanks,
Jerri
0
Comment
Question by:benje02
2 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 100 total points
ID: 9756425
You are correct in that the first example is backward and is actually blocking what you want to permit (the return traffic to outbound requests). It appears to only permit unsolicited inbound tcp connection requests.

Your 2nd example will permit inbound tcp connections in response to outbound requests, but you will not be able to do things like dns name resolution and you will block icmp inreachables which can have unintended results.

This is they way I typically setup an access list

access-list 110 permit tcp any any established
access-list 110 permit udp any eq 53 any
access-list 110 permit icmp any any unreachables
access-list 110 deny ip any any log  <-- you have to add the line for the "log" keyword --helps in troubleshooting



0
 

Author Comment

by:benje02
ID: 9757259
Thanks for the help.  You guys are great!  
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now