To create access on Cisco router that only allow outgoing tcp connection, and block all incoming traffic, except traffic initiated by incoming users, you need to allow established connection initiated by inside host.
Thos post will gives example for creating access list that only allow connection initiated by inside host or itjust allow TCP sync from inside host. In other word, this access list will block all TCP sync traffic from outside network.
ip access-list extended OUTGOING-ONLYAs normal TCP sync request is initiated from port greater than 1023, in this access list we just only permit traffic established from port greater than 1023. To allow FTP traffic, ftp data port (TCP 20) from FTP server must be allowed. Also UDP 53 port need to be allowed cause DNS server use port 53 UDP to reply data.
permit tcp any any gt 1023 established
permit tcp any eq ftp-data any
permit udp any eq 53 any
Place this access-list in outgoing interface to inside direction
interface FastEthernet0/0description TO-ISPip access-group OUTGOING-ONLY inip address 192.168.1.2 255.255.255.252
0 comments
Post a Comment