It would probably help if you elaborated on what type of connections will be established through/from the device in question.
Sent from my iPhone > On Sep 15, 2020, at 9:45 AM, Mike <[email protected]> wrote: > > On 9/15/20 3:12 AM, Nick Hilliard wrote: >> Mike wrote on 15/09/2020 02:17: >>> I have some gear that needs a public ip, but does not have the best >>> security profile, and I want to put up an ACL that only permits this >>> gear to make outbound connections while dropping all inbound. My router >>> is an ASR920 running IOS-XE 03.17.03.S. Does anyone have a simple >>> copy/paste acl for this type of job? >> >> you're mixing up a packet filtering ACL with a firewall ACL. >> >> A packet filter with this sort of ACL will block all inbound traffic, >> i.e. the performance will be terrific but everything will break >> because return traffic will be blocked (e.g. tcp syns/acks, etc). >> >> A firewall rule will enable dynamic outbound state management, which >> seems to be what you want, but the ASR920 doesn't support it. >> >> You need a firewall for this, not a router. >> >> Nick > > > I ask because online cisco docs as well as the command line indicate > support for matching 'established' connections, as well as combinations > of flags: > > rvhs-asr920(config-ext-nacl)#permit tcp 0.0.0.0 0.0.0.0 any ? > ack Match on the ACK bit > dscp Match packets with given dscp value > eq Match only packets on a given port number > established Match established connections > fin Match on the FIN bit > fragments Check non-initial fragments > gt Match only packets with a greater port number > log Log matches against this entry > log-input Log matches against this entry, including input interface > lt Match only packets with a lower port number > match-all Match if all specified flags are present > match-any Match if any specified flag is present > neq Match only packets not on a given port number > option Match packets with given IP Options value > precedence Match packets with given precedence value > psh Match on the PSH bit > range Match only packets in the range of port numbers > rst Match on the RST bit > syn Match on the SYN bit > time-range Specify a time-range > tos Match packets with given TOS value > ttl Match packets with given TTL value > urg Match on the URG bit > <cr> > > > It just seems to me that it is indeed possible using the above to put it > together. Is this all just non-working on this platform? > > > Mike- > > _______________________________________________ > cisco-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
