Mike wrote on 15/09/2020 02:17:
I have some gear that needs a public ip, but does not have the best
security profile, and I want to put up an ACL that only permits this
gear to make outbound connections while dropping all inbound. My router
is an ASR920 running IOS-XE 03.17.03.S. Does anyone have a simple
copy/paste acl for this type of job?
you're mixing up a packet filtering ACL with a firewall ACL.
A packet filter with this sort of ACL will block all inbound traffic,
i.e. the performance will be terrific but everything will break because
return traffic will be blocked (e.g. tcp syns/acks, etc).
A firewall rule will enable dynamic outbound state management, which
seems to be what you want, but the ASR920 doesn't support it.
You need a firewall for this, not a router.
Nick
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
