04-05-2009 05:23 AM - edited 03-04-2019 04:15 AM
Hello All,
I have the access-list below on my router. When I do not put the permit any any on the inbound direction of my wan interface at the end of it I can not get internet service. Why is that? And if I put a permit any any to get the internet working but, does that leave me open for hackers on the internet?
access-list 101 permit tcp any host 10.100.1.12 eq ftp
access-list 101 permit tcp any host 10.100.1.12 eq 3389
access-list 101 permit ip any any
04-05-2009 05:26 AM
Ike, baby!! Hows Tina???
At the end of all access lists is an implicit "deny any any". You dont see it, but its there.
To allow traffic that you have not specified in the other lines of the access-list, you would need the "permit ip any any" or, of course, just create more specific lines in the list.
HTH
Victor
04-05-2009 05:44 AM
I am still giving her lefts and rights.
This is my new access list. Please let me know if this one is ok.
access-list 101 permit tcp any host 10.100.1.12 eq ftp
access-list 101 permit tcp any host 10.100.1.12 eq 3389
access-list 101 permit tcp any 10.100.1.0 0.0.0.255 established
04-05-2009 05:27 AM
Hello Charlie,
if the ACL is applied inbound your Wan interface to allow internet access you need a third line like
access-list 101 permit tcp any eq 80 10.100.1.0 0.0.0.255
this is because ACLs have an implicit deny any at the end.
depending on direction of traffic you need to match on source tcp ports instead of destination ports like in your two lines
Hope to help
Giuseppe
04-05-2009 05:31 AM
Thanks,
I understand now however, now that I have applied the permit any any does that mean any traffic that originates from the internet can access my internal local network?
04-05-2009 05:32 AM
Yes.
04-05-2009 05:37 AM
Is there any easy way for me to allow all other traffic as long as it is requested from the inside local network and deny all traffic orginating from the outside? I saw something about an established command but don't fully understand it.
This is what I have now.
access-list 101 permit tcp any host 10.100.1.12 eq ftp
access-list 101 permit tcp any host 10.100.1.12 eq 3389
access-list 101 permit tcp any 10.100.1.0 0.0.0.255 established
04-05-2009 05:44 AM
The established keyword implies that the packet has its "syn ack" bit set and is therefore a response to TCP traffic originated inside the network.
But that doesnt really help too much because a hacker could artificially create a "syn ack" packet and penetrate.
What you need is a firewall with stateful packet inspection capabilities, or perhaps a router with the firewall feature set.
Or you can use reflexive access lists, which are only available in certain IOS versions.
HTH
Victor
04-05-2009 05:47 AM
I have a Cisco 2621XM with the Cisco advanceipservices on it. Maybe I can use the autosecure and firewall features on it.
04-05-2009 05:54 AM
Read this link:
http://www.cisco.com/en/US/docs/ios/12_0t/12_0t3/feature/guide/fw7200.html
HTH
Rate all posts which you find helpful.
Victor
04-05-2009 05:55 AM
Ok.I think I need to do more research on the established command.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide