access list for cisco route with cable modem

[csross]

I have a cable modem and a 3620 router. I created a one-line access list that said

access-list 101 permit tcp any any established

Then I applied it to the ethernet inetface connected to the cable modem IN. The only traffic I want is any traffic that started on the inside.

I am not able to get anywhere (although this page came up). Does it have to do with udp traffic. There is not an "established" parameter with udp.

I will be using this at work and I need to protect my internal network from all inbound traffic.

Any suggestions

 

[bierhunter]

I'm assuming you're using NAT.

If so, then you already have the function of only allowing inbound traffic if requested from the inside. You don't really need the access-list you posted. Although, it's a good idea to add some access-lists to protect your network.

Depending upon the IOS version you have, you could implement the IOS firewall feature set which works pretty well.

If not, Cisco's website has some good examples of some basic security (anti-spoof, etc) access-lists that you can put in.

The one you mentioned isn't really needed if you're using NAT.

If you're not using NAT, then I would recomment using it if you can.

BierHunter
CNE, MCSE, CCNP

 

[csross]

Thanks for the answer. I am using nat but why would it only allow established traffic? Why would the addition of that statement cause problems? I like to put in a backdoor to my network which allows telnet to the address assigned to the e0/0 interface in to be forwarded to a particular machine (port forwarding). If only established traffic is allowed, how can I accomplish this?

Thanks

 

[juniperr]

The reason that UDP does not have this option (established)is because UDP does not establish connections as it is a connectionless protocol.

for anti-spoofing use...

access-list number deny icmp any any redirect
access-list number deny ip 127.0.0.0 0.255.255.255 any
access-list number deny ip 224.0.0.0 31.255.255.255 any
access-list number deny ip host 0.0.0.0 any

To only allow incoming responses you would want to use CBAC ( this is with the firewall IOS )this would act like a PIX with fixup protocols. With UDP there are no actual sessions, so the software approximates sessions by examining the information in the packet and determining if the packet is similar to other UDP packets and if the packet was detected soon after another similar UDP packet. meaning within the configurable UDP idle timeout period.

 

[bierhunter]

Also, just to add something I forgot to mention earlier. With a one line access list:

access-list 101 permit tcp any any established

There is always a "deny all" built-in at the end of the access lists by default. With just the one line above, any non-tcp (udp, IP, etc) traffic would be blocked.

Also, the reason that NAT only allows inbound traffic if requested is that the packet doesn't know how to get past the external interface unless there is a translation already created (ie...you send out). Now, of course, any static translations will create a permanent translation path in and out. With dynamic translations (which is usually the case), a return path is only opened up once a request is made from an internal address and only on the ports in use. It then creates a translation for that session which allows data to come back in on those specific ports in use for that session. There is an aging time for the sessions, so they do expire and will close the connection.

That can be viewed with the "show ip nat trans" command. If the table is empty, then there is no current translation.

To allow your telnet traffic through, here's a sample static mapping you can use for that:

ip nat inside source static tcp <inside address> 23 interface Ethernet0/0 23 extendable

(you may or may not need the 'extendable' keyword depending upon your IOS version).

That will allow telnet traffic to come in and forward to the internal address you specify.

Hope this helps.

BierHunter
CNE, MCSE, CCNP

 

[csross]

Thanks for all your suggestions. I will post the results.