Solved

Cisco ACL's example to deny incoming SYN packets from outside network (Internet)

Posted on 2003-11-15
2
961 Views
Last Modified: 2008-02-26
Below is an access list from a security book I am reading,

access-list 110 deny tcp any any established
access-list 110 permit tcp any any

interface s0
access-group 110 in  (this is the Internet interface)


If I want to deny incoming tcp traffic other than for established sessions should the access be as follows?

access-list 110 permit tcp any any established

interface s0
access-group 110 in

It seems to me the first access list will deny the returning packets and since a ACL will deny by default, why do I need the 'deny' at all in the first list?

Thanks,
Jerri
0
Comment
Question by:benje02
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 100 total points
ID: 9756425
You are correct in that the first example is backward and is actually blocking what you want to permit (the return traffic to outbound requests). It appears to only permit unsolicited inbound tcp connection requests.

Your 2nd example will permit inbound tcp connections in response to outbound requests, but you will not be able to do things like dns name resolution and you will block icmp inreachables which can have unintended results.

This is they way I typically setup an access list

access-list 110 permit tcp any any established
access-list 110 permit udp any eq 53 any
access-list 110 permit icmp any any unreachables
access-list 110 deny ip any any log  <-- you have to add the line for the "log" keyword --helps in troubleshooting



0
 

Author Comment

by:benje02
ID: 9757259
Thanks for the help.  You guys are great!  
0

Featured Post

Why You Need a DevOps Toolchain

IT needs to deliver services with more agility and velocity. IT must roll out application features and innovations faster to keep up with customer demands, which is where a DevOps toolchain steps in. View the infographic to see why you need a DevOps toolchain.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Configure BGP 22 57
Access-List 15 63
Programmable Firewall Router? 3 23
How do you monitor for rogue wifi extenders or access points 7 24
Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question