Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ACL Help

Status
Not open for further replies.
onyx4000

onyx4000

IS-IT--Management
Oct 15, 2001
8
0
0
US
Hi, can anyone provide a sample access-list config allowing only certain ports (80,25, etc...) to be "open" to the public Internet and everything else is denied? I have tried for awhile but no luck, this is not making any sense to me. As soon as I implement this, port 80 is blocked b/c I can't browse the internet. Help, thanks a lot.

ACL config:

ip access-list 110 permit tcp any host 65.64.52.x eq 80
ip access-list 110 permit tcp any host 65.64.52.x eq 25
//(implicit deny all)
//65.64.52.x is my external address that is one-to-one NATed to a private address hosting these services.

WAN Interface ACL config:

ip access-group 110 in

 
Sort by date Sort by votes
You forgot about DNS!!
permit DNS port tcp udp 53
 
Upvote 0 Downvote
Yeah, you're right, I forgot about it in my post, but I did try that, I also tried accessing a website via the IP but still no luck, I think it might have something to do with NAT?
 
Upvote 0 Downvote
Umm, you need high ports allowed (1024+) to connect to external web servers.
Client connect outbound:1926 -> server:80
server:80 inbound -> client:1926
unless your nat is misconfigured you should have no problem with this.
 
Upvote 0 Downvote
HI!

You'll have to allow the return traffic to pass through the router.
If an inside client try to access a web-server in the Internet, your ACL will block the return packets from the web-server to the client.
You have some solutions for this:

* Use a dedicated firewall to filter traffic.
* Add IOS FireWall to your router.
* Add access-list lines for return traffic, using "establish" and/or defining source ports.

Ths last solution is the most problematic, because it can be dificult to define the return traffic and still protect the network. This is why you should better implement a statefull firewall that insepcts the traffic and allows specific return traffic base on outgoing packets.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
OK guys, I will try these ideas, thanks a lot, both of you, for your help.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Jared R
  • Locked
  • Question
Cisco UC320W Paging Help
Replies
0
Views
121
Jared R
Jared R
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat
Replies
1
Views
89
BIS
BIS
Mogles49
  • Locked
  • Question
Firewall ACL question
Replies
1
Views
52
burtsbees
burtsbees
bfordz
  • Locked
  • Question
new help on setting up third party VoIP phones through Catalyst 2960x switch
Replies
0
Views
52
bfordz
bfordz
DigiByte34
  • Locked
  • Question
Need Help Cisco AAA to any RADIUS Software
Replies
9
Views
94
DigiByte34
DigiByte34

Part and Inventory Search

Sponsor

Back
Top