Access List

Icekola · Sep 5, 2011

I want to deny any IP WAN traffic from accessing my LAN unless the traffic was originated from the LAN.

How would I accomplished this. I don't think this can be done via a standard nor extended ACL. I think I need a reflexive ACL but I'm not familiar with those just yet.

Cisco 2621
FA0/0 = LAN
FA0/1 = WAN

Your help is appreciated, thanks.

unclerico · Sep 5, 2011

look at implementing CBAC and uRPF

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

dgrizzard · Sep 6, 2011

A reflexive ACL would be your answer, or you can do a CBAC/Zone based firewall.

Reflexive ACL:

http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfreflx.html

Icekola · Sep 7, 2011

Thank you for the advice.

Icekola · Sep 8, 2011

Resolved it with the following. May not be the most efficient way but it works

------------------------------------------------------------------
NAT:

ip nat inside source list 1 interface FastEthernet0/1 overload

access-list 1 remark NATADDY
access-list 1 permit 192.168.1.0 0.0.0.255

interface FastEthernet0/1
ip nat outside
------------------------------------------------------------------
Reflexive ACL to allow DHCP and remote access from work but denies all WAN traffic unless originated from LAN:

ip access-list extended INBOUND
permit udp any eq bootps any eq bootpc log
permit ip host x.x.x.x any log
evaluate MIRROR

ip access-list extended OUTBOUND
permit ip any any log reflect MIRROR

interface FastEthernet0/1
ip access-group INBOUND in
ip access-group OUTBOUND out

Quadratic · Sep 12, 2011

Back in the day, a poor man's version of CBAC would be the "established" keyword at the end of a permit line for TCP traffic inbound from WAN. That, of course, is easily bypassed.

CCNP, CCDP, CCIP
Core Network Planner, ISP

burtsbees · Sep 21, 2011

Not unless you do "eq ack, eq sin, eq fin, etc.

/ word

10 ? "TIMMAY!!!"
20 goto 10
run
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Access List

Icekola

Technical User

unclerico

IS-IT--Management

dgrizzard

IS-IT--Management

Icekola

Technical User

Icekola

Technical User

Quadratic

ISP

burtsbees

Programmer

Similar threads

Part and Inventory Search

Sponsor