I have got a cisco router which is port forwarding to an IIS server over the internet. I want to create an access-list to lock the cisco router down further. I want to create the following:
1 - users on the wireless lan can access any website going to the outside world but only to ports 80 and 443. So really i dont want anyone in the office to be able to go to file sharing websites over ftp etc.
2 - At present users from outside world can hit the following website address www.captrax2.niwater.com and they are forwarded to the webserver address 192.168.2.100 I want the access list to make sure thats all they can hit and no other devices on my wireless lan.
i have attached the config of the cisco router as it is today. I am hitting the web page ok so port forwarding is working.
I did try this access list but all it did was stop me hitting the webpage so i had to delete it again.
ip access-list extended OUTSIDE-IN
permit ip any 192.168.2.100 0.0.0.255 reflect TO_REFLECT
ip access-list extended OUTSIDE-OUT
permit tcp host x.x.x.x any eq www reflect TO_REFLECT timeout 180
permit tcp host x.x.x.x any eq 443 reflect TO_REFLECT timeout 180
permit tcp host x.x.x.x any eq domain reflect TO_REFLECT timeout 180
permit udp host x.x.x.x any eq domain reflect TO_REFLECT timeout 180
permit icmp host x.x.x.x any reflect TO_REFLECT
any adivce welcome
you can configure ACL's as given below
ip access-list extended to_internet
permit tcp 192.168.2.0 0.0.0.255 any eq 80
permit tcp 192.168.2.0 0.0.0.255 any eq https
permit udp 192.168.2.0 0.0.0.255 any eq 53
deny ip any any (implicit)
Apply this on vlan 1 on "inbound" direction..
Try this first, and ill draft the inbound acl (from internet) in a few min.