How can I use the self-anti-ACL to restrict Internet access?

To protect the security of the Intranet, you can only allow Intranet access to the Internet and not allow Internet access to the Intranet. Here, we use the self-reverse ACL of the cisco router.

You need to configure the routing protocol. The following configurations are for RIP Version1. You can also configure other configurations, such as VPN or OSPF.

Self-reverse ACL for Intranet access to the Internet

R1> en

R1 # conf t

Enter configuration commands, one per line. End with CNTL/Z.

R1 (config) # ACL created by ip access-list extended aclout

R1 (config-ext-nacl) # permit tcp any reflect tcp sets this entry to self-inverse, and its name is tcp

Self-reverse ACL for Internet access to the Intranet

R1 (config) # ip access-list extended aclin

R1 (config-ext-nacl) # evaluate tcp generates an auto-inverse list (the first step is to generate an auto-inverse ACL named tcp, so the corresponding name is tcp)

R1 (config-ext-nacl) # permit udp any

Apply the self-countermeasure C to the corresponding interface

R1 (config) # int fa0/1 Internet interface

R1 (config-if) # ip access-group aclout out

R1 (config-if) # ip access-group aclin in

Then, you can only ping the Internet on the PC, but not the Intranet.

1. Use the access control list to implement one-way network access