Cisco 7200 Router IOS 12.X Extended Access-lists/Access-groups. Why use access group out.

I know out is the default for an access-group.  Why.  The one argument I saw for using In sounds good why send traffic through the routing engine just to drop it any way.  If traffic is going from internal network to external host drop traffic entering Internal interface.  Why would you ever want to wait?

Also I want to have a config that denies specific ports from external to internal but allow everything else .  and block icmp echo-reply out I think

access-list 110 deny tcp any 192.168.0.0 0.0.0.255 eq 80
access-list 110 deny tcp any 192.168.0.0 0.0.0.255 eq 25
access-list 110 permit icmp any any
access-list 110 permit IP any any (temp rule until I figure what is legit inbound and can add permits)

access-list 120 deny icmp 192.168.0.10 0.0.0.0 any echo-reply
access-list 120 permit icmp any any
access-list 120 permit IP any any

access-group 110 in (applied to outside interface)
access-group 120 in (applied to internal interface)


richw76Asked:
Who is Participating?
 
JFrederick29Connect With a Mentor Commented:
Applying an access-list out on an interface is useful when you have numerous interfaces on the router and you want to block traffic for all "inside" interfaces leaving the "outside" interface.  In this situation, only one access-list is required outbound versus an inbound access-list on all "inside" interfaces.
0
 
Tim HolmanCommented:
Some pointers:

1) permit IP any any will include ALL udp, tcp and icmp.
2) There's an implicit deny at the end of each access-list - eg deny ip any any.  This isn't displayed in the config file.
3) access-list 120 deny icmp 192.168.0.10 0.0.0.0 any echo-reply

You may as well just deny ICMP full stop...

4)  There is a separate icmp enable command separate to the access-lists

Post up your config if you need help - I'm not quite sure what you're asking ?
0
 
Bird_Dog347Commented:
Here is a named extended access-list that can be used
on a standard IOS Cisco router to act as a basic firewall.This has been tried and tested on numerous organizations
and works a treat...

Probably woudln't handle a DDoS attack :-)

IPAD is where you put your inside IP address !


remark This is the access-list to be placed on the Outside LAN interface
remark The below set the rfc1918 private exclusions
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
remark Deny Testnet
deny ip 192.0.2.0 0.0.0.255 any log
remark Deny packets from localhost, broadcast, and multicast addresses
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 255.0.0.0 0.255.255.255 any log
remark Deny packets without an IP address
deny ip host 0.0.0.0 any log
remark Prevent Spoofing on Routers FA Interfaces
deny ip host IPAD any log
deny ip host IPAD any log
deny ip host IPAD any log
remark Permit specific ICMP for ping / traceroute response
permit icmp any IPAD 0.0.0.255 net-unreachable
permit icmp any IPAD0.0.0.255 echo-reply
permit icmp any IPAD 0.0.0.255 echo
permit icmp any IPAD 0.0.0.255 host-unreachable
permit icmp any IPAD 0.0.0.255 port-unreachable
permit icmp any IPAD 0.0.0.255 packet-too-big
permit icmp any IPAD 0.0.0.255 administratively-prohibited
permit icmp any IPAD 0.0.0.255 source-quench
permit icmp any IPAD 0.0.0.255 ttl-exceeded
remark Allow specific ports access to network
permit tcp any IPAD 0.0.0.255 eq www
permit tcp any IPAD 0.0.0.255 eq 443
permit tcp any IPAD 0.0.0.255 eq smtp
permit tcp any IPAD 0.0.0.255 eq pop3
permit tcp any IPAD 0.0.0.255 eq 143
permit tcp any IPAD 0.0.0.255 eq ftp-data
permit tcp any IPAD 0.0.0.255 eq ftp
permit tcp any IPAD 0.0.0.255 eq nntp
permit tcp any IPAD 0.0.0.255 eq 8081
permit tcp any IPAD 0.0.0.255 eq domain
permit udp any IPAD 0.0.0.255 eq domain
remark Allow RADIUS Proxy Access
permit udp any IPAD 0.0.0.255 eq 1645
permit udp any IPAD 0.0.0.255 eq 1646
permit tcp any IPAD 0.0.0.255 eq 1646
remark permit PCAnywhere
permit tcp any any eq 5631
permit tcp any any eq 5632
permit udp any any eq 5631
permit udp any any eq 5632
permit tcp any any eq 65301
permit tcp any any eq 22
permit udp any any eq 65301
permit udp any any eq 22
remark Permit Established connections
permit tcp any IPAD 0.0.0.255 established
remark Permit Internal DNS Out
permit udp any eq domain any
remark Deny and log anything that doesn't comply to these rules
permit udp any any
deny ip any any log














0
 
richw76Author Commented:
JFrederick29 I wish I could give you extra points for actually reading my question before you answered it ;-) Thanks that makes sense.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.