> Again, the cli seems to indicate support for all the things > necessary, which includes the idea of 'established', which is why I ask > if THIS platform does in fact do what the cli suggests:
No, the ASR920 (Unless it's hiding in a recent IOS release), does not do any kind of state tracking. You'll be better served looking at the ISR or Firewall families for that. What you're seeing in the CLI is pretty commonplace these days - to be fair, not just with Cisco - where an un-supported feature is 'left in' the command line. If in doubt, try it. Worst case it won't work, and then you can bounce the config off TAC to get one of their "unsupported configuration" canned responses. :] ________________________________________ From: cisco-nsp <[email protected]> on behalf of Mike <[email protected]> Sent: Tuesday, September 15, 2020 8:52 AM To: [email protected] Subject: Re: [c-nsp] cisco ACL filter outbound only On 9/15/20 8:08 AM, Brian Turnbow wrote: >> It just seems to me that it is indeed possible using the above to put it >> together. Is this all just non-working on this platform? >> > The difference is in connection state. > An ACL does not track it so you can do > Permit tcp any any established > Inbound or outbound on a port , but that will only check that the ip packet > has ack or rst set for the tcp session . > I can still send you an inbound tcp packet with ack or rst set even if it > did not originate from "inside" and pass your filter. > It will also not help in any way for udp etc > The ACL does not know that a first packet was sent out so it should await a > response > This is why you need a firewall be it on the router or external. > Hi, Again, the cli seems to indicate support for all the things necessary, which includes the idea of 'established', which is why I ask if THIS platform does in fact do what the cli suggests: rvhs-asr920(config-ext-nacl)#permit tcp 0.0.0.0 0.0.0.0 any ? ack Match on the ACK bit dscp Match packets with given dscp value eq Match only packets on a given port number established Match established connections fin Match on the FIN bit fragments Check non-initial fragments gt Match only packets with a greater port number log Log matches against this entry log-input Log matches against this entry, including input interface lt Match only packets with a lower port number match-all Match if all specified flags are present match-any Match if any specified flag is present neq Match only packets not on a given port number option Match packets with given IP Options value precedence Match packets with given precedence value psh Match on the PSH bit range Match only packets in the range of port numbers rst Match on the RST bit syn Match on the SYN bit time-range Specify a time-range tos Match packets with given TOS value ttl Match packets with given TTL value urg Match on the URG bit <cr> _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
