08-21-2008 02:59 AM - edited 02-20-2020 09:40 PM
We want internal hosts that are accessing the Internet to have return traffic from the Internet. We want to have a secure access list inbound. We do not want any/all traffic comming from the Internet. We want only websites that respond from an internal host back into the network. We want to allow access from outside only if that access has been requested from inside, only response for that request. We want to restrict only traffic initiated from the outside only to VPN, SSH and email. The following caused accessing the Internet traffic to slow down and websites did not fully load. Any assistance would be appreciated.
Thanks.
Said
access-list 150 permit tcp any host <firewall outside IP>
access-list 150 permit tcp any host <Exchange server translated public IP> eq www
access-list 150 permit tcp any host < Exchange server translated public IP> eq smtp
access-list 150 permit tcp any host < Exchange server translated public IP> eq 22
access-list 150 permit tcp any host < Exchange server translated public IP> eq pop3
access-list 150 permit tcp any any eq telnet
access-list 150 permit icmp any any
access-list 150 permit udp any eq domain any
access-list 150 permit udp any any eq domain
access-list 150 permit esp any any
access-list 150 permit gre any any
access-list 150 permit udp any any eq non500-isakmp
access-list 150 permit udp any any eq isakmp
access-list 150 permit tcp any any established
access-list 150 deny ip any any log
interface MFR0.724
router(config-if)#ip access-group 150 in
08-21-2008 11:32 AM
Have you considered using CBAC?
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml
I like CBAC better. CBAC builds intelligence into the traffic analysis. CBAC should make your connection more secure.
Reflex documentation
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfreflx.html
08-28-2008 06:01 PM
I will second that suggestion to use CBAC over reflexive ACLs. CBAC is very easy to configure and does a great job of dynamically adjusting your router's security policy as required.
-Mike
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: