cisco IOS acls - knock the dust off

[wowhead]

It's been a long time... I just need help with some basic acl setup. I've managed to setup a one to one NAT in order to pass some FTP from the outside. My issue though is creating an acl set that will pass ftp, allow all traffic back in that originated from the inside & deny everything else.

 

[burtsbees]

access-list 101 permit tcp any host x.x.x.x eq 21
access-list 101 permit ip any any established

Apply this to the outside interface (inbound)...

ip access-group 101 in

Burt

 

[wowhead]

IOS didn't like "established". I'm running 12.3 on my 3745.

 

[eclidad]

It works for us. Try this instead.

access-list 101 permit tcp any any established
^
^
^

We apply it to our inside interface. This could just be a semantic interpretation. It's applied to the interface that
our internal network uses, namely FastEthernet0/0. Our outside interface is Serial0/0/0.

Hope this helps,
- Joel

 

[wowhead]

makes sense since "established" could be slotted into a "controlled" transmission.



worked, applying...

 

[wowhead]

so what happens to the rest of the ip traffic and udp running this config? some sites having issues now.

 

[burtsbees]

Yeah---meant tcp and not ip...sorry.
All other traffic will be denied, like you wanted.

Burt

 

[wowhead]

i misread and applied the suggested changes to the "outside" interface but I've since taken it out because some websites weren't working after the change (ie hotmail/yahoo mail). in addition, I'm reluctant to apply this to the inside interface because I've got VOIP traffic coming through the inside interface from a remote site and I don't want to effect that.

So I guess I need to re-explain what it is I need?

1) I need to allow FTP to a new machine from outside in. This was pretty straight forward and I know what to do for this.
2) I need to allow all traffic back in that has originated from our LAN (all tcp, ip, and udp traffic). This is where I'm hung up currently.