Today, we will learn how to filter incoming or outgoing traffic into/from network.
To filter/block Incoming and Outgoing Traffic the best method is to use Firewall, either Hardware-based or Software-based.
But in-case you do not have any firewall but just a Cisco Manageable Router. So you can also do that with the help of Access Control List(ACL) and apply that ACL on outside interface of the router. So, every incoming or outgoing packet will be passed through that ACL with is applied on that interface. If the rule is there the traffic will be allowed and if the rule is not there then the inbound/outbound traffic will be discarded based on it.
Current Scenario:
Goal:
We have a web application http://www.testa.com. Which we only want to give access to limited people not the whole world. In this above scenario, we want to block the traffic at the entry point itself. We just want to give a limited access to inbound traffic, we do not want our web server or DB server to be open to the world. So, as all the traffic is coming from the internet, the best practice is to block it right there at the router instead of doing it at the each server level, which is also possible.
So we have to create an access list first in the router and then assign that ACL to the interface where we want it to be, either Inside/Outside Interface. In the current scenario we will assign that ACL to our Outside Interface of the router.
Step 1 :
Open Router CLI, Go to Configure Terminal Mode.
C2921-PriRouter#config t
Enter configuration commands, one per line. End with CNTL/Z.
C2921-PriRouter(config)#
C2921-PriRouter(config)#Create ACL:
C2921-PriRouter(config)#ip access-list extended anti-spoof
#This above command with create a new Extended ACL, named anti-spoof.
#ip access-list: this is the Cisco command to create/modify access-list in router.
#extended: Extended ACL will allow you to permit of deny traffic from a specific source IP to specific destination IP with port number. It also allows you to specify different types of traffic such as ICMP, TCP, UDP, etc.
#anti-spoof: This is the name of ACL which we can refer to at a later stage. This name could be any thing you want it to be. Entering Rules into ACL:
I will try to enter different IB/OB traffic rules and describe what they are doing. One rule per line.
C2921-PriRouter(config-ext-nacl)#deny tcp any any eq 22 (This rule is denying any TCP Traffic with Port 22 coming from any source(internet) to any destination(internal network))
C2921-PriRouter(config-ext-nacl)#permit ip host 1.1.1.1 any (This rule will all traffic coming from source 1.1.1.1 to our network)
C2921-PriRouter(config-ext-nacl)# permit udp any any range 10000 20000 (allow UDP traffic with port 10,000 to 20,000 - coming from any source to any destination)
C2921-PriRouter(config-ext-nacl)#permit ip host 2.2.2.2 host 172.25.20.20 (This ACL rule will only allow host with IP 2.2.2.2 to get through to reach our webserver)
C2921-PriRouter(config-ext-nacl)#deny ip any host 2.2.2.2 (This rule will block ALL traffic to WebServer, this is important to understand how allow and block work together, with this rule all the other traffic will be blocked and only source with IP 2.2.2.2 is allowed).
C2921-PriRouter(config-ext-nacl)#permit udp any any (in the end we are permitting UDP from any Source to any Desti.)
C2921-PriRouter(config-ext-nacl)#permit ip any any (in the end we are permitting all IP from any Source to any Desti.)Step 2:
Implementing ACL to Router Interface.
C2921-PriRouter#config t
Enter configuration commands, one per line. End with CNTL/Z.
C2921-PriRouter(config)#interface GigabitEthernet0/1.100
C2921-PriRouter(config-subif)#ip access-group anti-spoof inThat’s it. Do some testing and make sure it is working. NOTE: You can apply 1 ACL to more than 1 interface.
Anwer's Blog 