reflexive/established access list

Unanswered Question
Aug 21st, 2008

We want internal hosts that are accessing the Internet to have return traffic from the Internet. We want to have a secure access list inbound. We do not want any/all traffic comming from the Internet. We want only websites that respond from an internal host back into the network. We want to allow access from outside only if that access has been requested from inside, only response for that request. We want to restrict only traffic initiated from the outside only to VPN, SSH and email. The following caused accessing the Internet traffic to slow down and websites did not fully load. Any assistance would be appreciated.

Thanks.

Said

access-list 150 permit tcp any host <firewall outside IP>

access-list 150 permit tcp any host <Exchange server translated public IP> eq www

access-list 150 permit tcp any host < Exchange server translated public IP> eq smtp

access-list 150 permit tcp any host < Exchange server translated public IP> eq 22

access-list 150 permit tcp any host < Exchange server translated public IP> eq pop3

access-list 150 permit tcp any any eq telnet

access-list 150 permit icmp any any

access-list 150 permit udp any eq domain any

access-list 150 permit udp any any eq domain

access-list 150 permit esp any any

access-list 150 permit gre any any

access-list 150 permit udp any any eq non500-isakmp

access-list 150 permit udp any any eq isakmp

access-list 150 permit tcp any any established

access-list 150 deny ip any any log

interface MFR0.724

router(config-if)#ip access-group 150 in

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
robertson.michael Thu, 08/28/2008 - 18:01

I will second that suggestion to use CBAC over reflexive ACLs. CBAC is very easy to configure and does a great job of dynamically adjusting your router's security policy as required.

-Mike

Actions

This Discussion