Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cisco ACL's example to deny incoming SYN packets from outside network (Internet)

Posted on 2003-11-15
2
Medium Priority
?
972 Views
Last Modified: 2008-02-26
Below is an access list from a security book I am reading,

access-list 110 deny tcp any any established
access-list 110 permit tcp any any

interface s0
access-group 110 in  (this is the Internet interface)


If I want to deny incoming tcp traffic other than for established sessions should the access be as follows?

access-list 110 permit tcp any any established

interface s0
access-group 110 in

It seems to me the first access list will deny the returning packets and since a ACL will deny by default, why do I need the 'deny' at all in the first list?

Thanks,
Jerri
0
Comment
Question by:benje02
2 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 400 total points
ID: 9756425
You are correct in that the first example is backward and is actually blocking what you want to permit (the return traffic to outbound requests). It appears to only permit unsolicited inbound tcp connection requests.

Your 2nd example will permit inbound tcp connections in response to outbound requests, but you will not be able to do things like dns name resolution and you will block icmp inreachables which can have unintended results.

This is they way I typically setup an access list

access-list 110 permit tcp any any established
access-list 110 permit udp any eq 53 any
access-list 110 permit icmp any any unreachables
access-list 110 deny ip any any log  <-- you have to add the line for the "log" keyword --helps in troubleshooting



0
 

Author Comment

by:benje02
ID: 9757259
Thanks for the help.  You guys are great!  
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question