Allowing port 80 is not enough? 1

[nadeep]

Is allowing port 80 not enough to browse.

Router Cisco 805

I have added the following to "S0 incoming" but it does not allow me to browse. My intension in the first place is to allow only browsing from this machine. But if I remove port 80 it allows implying that port 80 is not enough? Please help


access-list 110 permit tcp any host 203.94.69.220 eq 80
access-list 110 permit tcp any host 203.94.69.220 eq 443
access-list 110 deny ip any host 203.94.69.220
access-list 110 permit ip any any

 

[ChrisAC]

If this is an inbound access-list then all you are doing is allowing http (and https)requests into your machine as if you are running a web server. When you connect from the inside to a web server on the outside then you connect to the remote server on port 80 but your source port will be a dynamic IP above port 1023 (tcp). So, when the web server replies it will reply to your IP address on the port number that the request came on, ie. tcp >1023, not port 80! So, your access list needs to permit all tcp traffic above port 1023, as you won't know what your source port will be as it will change for every tcp session.

You might also need to allow UDP >1023 in as well. You'll be doing DNS requests via UDP 53 so the reply will come back on a UDP port above 1023.

Finally, on the last line add "log" to the end. ie.

access-list 100 deny ip any any log

Then, to view the logs ...

collossus#conf t
Enter configuration commands, one per line. End with CNTL/Z.
collossus(config)#logging buffered 5000
collossus(config)#^Z
collossus#sh logging
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns)
Console logging: level debugging, 495834 messages logged

etc .....

If it still doesn't work then you can view the logs and see what's being denied.

Good luck.

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************