access-list

Charlie Mayes · ‎04-05-2009

Hello All,

I have the access-list below on my router. When I do not put the permit any any on the inbound direction of my wan interface at the end of it I can not get internet service. Why is that? And if I put a permit any any to get the internet working but, does that leave me open for hackers on the internet?

access-list 101 permit tcp any host 10.100.1.12 eq ftp

access-list 101 permit tcp any host 10.100.1.12 eq 3389

access-list 101 permit ip any any

lamav · ‎04-05-2009

Ike, baby!! Hows Tina???

At the end of all access lists is an implicit "deny any any". You dont see it, but its there.

To allow traffic that you have not specified in the other lines of the access-list, you would need the "permit ip any any" or, of course, just create more specific lines in the list.

HTH

Victor

Charlie Mayes · ‎04-05-2009

I am still giving her lefts and rights.

This is my new access list. Please let me know if this one is ok.

access-list 101 permit tcp any host 10.100.1.12 eq ftp

access-list 101 permit tcp any host 10.100.1.12 eq 3389

access-list 101 permit tcp any 10.100.1.0 0.0.0.255 established

Giuseppe Larosa · ‎04-05-2009

Hello Charlie,

if the ACL is applied inbound your Wan interface to allow internet access you need a third line like

access-list 101 permit tcp any eq 80 10.100.1.0 0.0.0.255

this is because ACLs have an implicit deny any at the end.

depending on direction of traffic you need to match on source tcp ports instead of destination ports like in your two lines

Hope to help

Giuseppe

Charlie Mayes · ‎04-05-2009

Thanks,

I understand now however, now that I have applied the permit any any does that mean any traffic that originates from the internet can access my internal local network?

lamav · ‎04-05-2009

Yes.

Charlie Mayes · ‎04-05-2009

Is there any easy way for me to allow all other traffic as long as it is requested from the inside local network and deny all traffic orginating from the outside? I saw something about an established command but don't fully understand it.

This is what I have now.

access-list 101 permit tcp any host 10.100.1.12 eq ftp

access-list 101 permit tcp any host 10.100.1.12 eq 3389

access-list 101 permit tcp any 10.100.1.0 0.0.0.255 established

lamav · ‎04-05-2009

The established keyword implies that the packet has its "syn ack" bit set and is therefore a response to TCP traffic originated inside the network.

But that doesnt really help too much because a hacker could artificially create a "syn ack" packet and penetrate.

What you need is a firewall with stateful packet inspection capabilities, or perhaps a router with the firewall feature set.

Or you can use reflexive access lists, which are only available in certain IOS versions.

HTH

Victor

Charlie Mayes · ‎04-05-2009

I have a Cisco 2621XM with the Cisco advanceipservices on it. Maybe I can use the autosecure and firewall features on it.

lamav · ‎04-05-2009

Read this link:

http://www.cisco.com/en/US/docs/ios/12_0t/12_0t3/feature/guide/fw7200.html

HTH

Rate all posts which you find helpful.

Victor

Charlie Mayes · ‎04-05-2009

Ok.I think I need to do more research on the established command.