cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
435
Views
0
Helpful
2
Replies

reflexive/established access list

saidfrh
Level 1
Level 1

We want internal hosts that are accessing the Internet to have return traffic from the Internet. We want to have a secure access list inbound. We do not want any/all traffic comming from the Internet. We want only websites that respond from an internal host back into the network. We want to allow access from outside only if that access has been requested from inside, only response for that request. We want to restrict only traffic initiated from the outside only to VPN, SSH and email. The following caused accessing the Internet traffic to slow down and websites did not fully load. Any assistance would be appreciated.

Thanks.

Said

access-list 150 permit tcp any host <firewall outside IP>

access-list 150 permit tcp any host <Exchange server translated public IP> eq www

access-list 150 permit tcp any host < Exchange server translated public IP> eq smtp

access-list 150 permit tcp any host < Exchange server translated public IP> eq 22

access-list 150 permit tcp any host < Exchange server translated public IP> eq pop3

access-list 150 permit tcp any any eq telnet

access-list 150 permit icmp any any

access-list 150 permit udp any eq domain any

access-list 150 permit udp any any eq domain

access-list 150 permit esp any any

access-list 150 permit gre any any

access-list 150 permit udp any any eq non500-isakmp

access-list 150 permit udp any any eq isakmp

access-list 150 permit tcp any any established

access-list 150 deny ip any any log

interface MFR0.724

router(config-if)#ip access-group 150 in

2 Replies 2

rmeans
Level 3
Level 3

Have you considered using CBAC?

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml

I like CBAC better. CBAC builds intelligence into the traffic analysis. CBAC should make your connection more secure.

Reflex documentation

http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfreflx.html

I will second that suggestion to use CBAC over reflexive ACLs. CBAC is very easy to configure and does a great job of dynamically adjusting your router's security policy as required.

-Mike

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: