Cisco router reverse Access Control List configuration

Source: Internet
Author: User

The computers in the 172.16.4.0/24 network segment are servers, and we protect these servers from the virus attacks from the 172.16.3.0 network segment via reverse ACL settings.

Configuration instance: Prohibit virus from 172.16.3.0/24 this network segment to 172.16.4.0/24 this server network segment.

Access-list Permit TCP 172.16.3.0 0.0.0.255 172.16.4.0 0.0.0.255 established Cisco Simulator defines ACL101, allowing all calculations from 172.16.3.0 network segments The machine accesses the computer in the 172.16.4.0 network segment, provided that the TCP connection has been established. 172.16.3.0 access to 172.16.4.0 is not allowed when TCP connections are not established.

After setting up, the virus will not easily propagate from 172.16.3.0 to 172.16.4.0 's server area. Because the virus wants to propagate all is the active TCP connection, because the router uses the reverse ACL to prohibit the 172.16.3.0 network segment TCP Active connection, therefore the virus cannot spread smoothly.

An easy way to verify that a reverse ACL is configured successfully is to ping a server in 172.16.4.0 to a computer in 172.16.3.0, and if you can ping it and then use the server 172.16.3.0 that computer PING172.16.4.0, Ping does not explain the ACL matching Successfully.

A problem with the reverse ACL configured above is that the 172.16.3.0 computer does not have access to the server's services, and if the 172.16.4.13 provides the WWW service, it cannot be accessed properly. The solution is to add an extended ACL rule at the head of the established sentence, for example: Access-list permit tcp 172.16.3.0 0.0.0.255 172.16.4.13 0.0.0.0 eq www. The closest to the controlled object principle is that the ACL rules are checked by a top-down approach in the ACL, and forwarded immediately if the condition is found, without continuing to detect the following ACL statements. The 172.16.3.0 computer can normally access the WWW service for the server, and the following established antivirus commands are in effect.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.