On 9/15/20 3:12 AM, Nick Hilliard wrote: > Mike wrote on 15/09/2020 02:17: >> I have some gear that needs a public ip, but does not have the best >> security profile, and I want to put up an ACL that only permits this >> gear to make outbound connections while dropping all inbound. My router >> is an ASR920 running IOS-XE 03.17.03.S. Does anyone have a simple >> copy/paste acl for this type of job? > > you're mixing up a packet filtering ACL with a firewall ACL. > > A packet filter with this sort of ACL will block all inbound traffic, > i.e. the performance will be terrific but everything will break > because return traffic will be blocked (e.g. tcp syns/acks, etc). > > A firewall rule will enable dynamic outbound state management, which > seems to be what you want, but the ASR920 doesn't support it. > > You need a firewall for this, not a router. > > Nick
I ask because online cisco docs as well as the command line indicate support for matching 'established' connections, as well as combinations of flags: rvhs-asr920(config-ext-nacl)#permit tcp 0.0.0.0 0.0.0.0 any ? ack Match on the ACK bit dscp Match packets with given dscp value eq Match only packets on a given port number established Match established connections fin Match on the FIN bit fragments Check non-initial fragments gt Match only packets with a greater port number log Log matches against this entry log-input Log matches against this entry, including input interface lt Match only packets with a lower port number match-all Match if all specified flags are present match-any Match if any specified flag is present neq Match only packets not on a given port number option Match packets with given IP Options value precedence Match packets with given precedence value psh Match on the PSH bit range Match only packets in the range of port numbers rst Match on the RST bit syn Match on the SYN bit time-range Specify a time-range tos Match packets with given TOS value ttl Match packets with given TTL value urg Match on the URG bit <cr> It just seems to me that it is indeed possible using the above to put it together. Is this all just non-working on this platform? Mike- _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
