Cisco ACL- How to block the public from internal access while allowing an internal system to use public web

aclciscorouter

I am having trouble with allowing my internal system (Administration) public web access after denying any of the public access to my internal systems.
Here is my ACL on my router so far:

  Extended IP access list Public
        10 deny tcp 17.35.32.64 0.0.0.31 any 
        20 deny udp 17.35.32.64 0.0.0.31 any
        30 deny ip 17.35.32.64 0.0.0.31 any 
        40 deny icmp 17.35.32.64 0.0.0.31 any
        50 permit tcp 17.35.32.32 0.0.0.31 host 17.35.32.80
  • 17.35.32.64 – public subnet
  • 17.35.32.32 – Admin subnet
  • 17.35.32.80 – Public web

How will I simultaneously block public host access to my internal network, but allow my internal hosts access to the public Internet?

Best Answer

It sounds like you only want to allow an inside address to establish a TCP connection. If you use NAT from your privately addressed network to the public Internet, it is stateful, and it works the way you seem to want.

If you have public addresses on both sides of your router, you could do something like this (there are multiple ways this could look, depending on exactly what you want to do):

interface GigabitEthernet0/0
 description WAN connection
 ip address 17.35.32.66 255.255.255.224
 ip access-group OUTBOUND_ONLY in

ip access-list extended OUTBOUND_ONLY
 permit tcp any any established

This will allow inside hosts to originate TCP connections to outside hosts, and allow the outside hosts to respond on the established connections, but it will block any other traffic from the outside.

Cisco maintains many documents for things like this (just search). For example, Configure Commonly Used IP ACLs:

Allow Only Internal Networks to Initiate a TCP Session

This figure shows that TCP traffic sourced from NetA destined to NetB is permitted, while TCP traffic from NetB destined to NetA is denied.

enter image description here

The purpose of the ACL in this example is to:

  • Allow hosts in NetA to initiate and establish a TCP session to hosts in NetB.
  • Deny hosts in NetB from initiating and establishing a TCP session destined to hosts in NetA.

This configuration allows a datagram to pass through interface Ethernet 0 inbound on R1 when the datagram has:

  • Acknowledged (ACK) or reset (RST) bits set (indicating an established TCP session)
  • A destination port value greater than 1023

R1

hostname R1  
!  
interface ethernet0  
 ip access-group 102 in  
!  
access-list 102 permit tcp any any gt 1023 established

Since most of the well-known ports for IP services use values less than 1023, any datagram with a destination port less than 1023 or an ACK/RST bit not set is denied by ACL 102. Therefore, when a host from NetB initiates a TCP connection by sending the first TCP packet (without synchronize/start packet (SYN/RST) bit set) for a port number less than 1023, it is denied and the TCP session fails. The TCP sessions initiated from NetA destined to NetB are permitted because they have ACK/RST bit set for returning packets and use port values greater than 1023.

Related Topic