01-27-2010 01:08 PM - edited 03-06-2019 09:28 AM
Hello,
I have got a cisco router which is port forwarding to an IIS server over the internet. I want to create an access-list to lock the cisco router down further. I want to create the following:
1 - users on the wireless lan can access any website going to the outside world but only to ports 80 and 443. So really i dont want anyone in the office to be able to go to file sharing websites over ftp etc.
2 - At present users from outside world can hit the following website address www.captrax2.niwater.com and they are forwarded to the webserver address 192.168.2.100 I want the access list to make sure thats all they can hit and no other devices on my wireless lan.
i have attached the config of the cisco router as it is today. I am hitting the web page ok so port forwarding is working.
I did try this access list but all it did was stop me hitting the webpage so i had to delete it again.
ip access-list extended OUTSIDE-IN
evaluate TO_REFLECT
permit ip any 192.168.2.100 0.0.0.255 reflect TO_REFLECT
ip access-list extended OUTSIDE-OUT
permit tcp host x.x.x.x any eq www reflect TO_REFLECT timeout 180
permit tcp host x.x.x.x any eq 443 reflect TO_REFLECT timeout 180
permit tcp host x.x.x.x any eq domain reflect TO_REFLECT timeout 180
permit udp host x.x.x.x any eq domain reflect TO_REFLECT timeout 180
permit icmp host x.x.x.x any reflect TO_REFLECT
!
any adivce welcome
Kevin
Solved! Go to Solution.
01-27-2010 01:19 PM
Hi Kevin
you can configure ACL's as given below
ip access-list extended to_internet
permit tcp 192.168.2.0 0.0.0.255 any eq 80
permit tcp 192.168.2.0 0.0.0.255 any eq https
permit udp 192.168.2.0 0.0.0.255 any eq 53
deny ip any any (implicit)
Apply this on vlan 1 on "inbound" direction..
Try this first, and ill draft the inbound acl (from internet) in a few min.
Raj
01-27-2010 01:19 PM
Hi Kevin
you can configure ACL's as given below
ip access-list extended to_internet
permit tcp 192.168.2.0 0.0.0.255 any eq 80
permit tcp 192.168.2.0 0.0.0.255 any eq https
permit udp 192.168.2.0 0.0.0.255 any eq 53
deny ip any any (implicit)
Apply this on vlan 1 on "inbound" direction..
Try this first, and ill draft the inbound acl (from internet) in a few min.
Raj
01-27-2010 01:23 PM
On the outside interface, you can configure the following
ip access-list from_internet
permit tcp any host x.x.x.x eq http
permit tcp any host x.x.x.x eq https
where x.x.x.x is the NATTED IP address representing the inside IP 192.168.2.100
apply this on outside interface (dialer 0)...
test this and let us know..
Raj
01-28-2010 01:04 PM
Raj
I applied the first ACL and i am still able to go out to the internet and also hit the internal webpage 192.168.2.100 from outside.
ip access-list extended to_internet
permit tcp 192.168.2.0 0.0.0.255 any eq 80 log
permit tcp 192.168.2.0 0.0.0.255 any eq https log
permit udp 192.168.2.0 0.0.0.255 any eq 53 log
deny ip any any
i put in log to see whats going on as well. But when i applied the Dialer0 ACL below i can no longer go out to the internet while i have another laptop on the same wireless router and i also cant hit the webpage from the outside.
ip access-list from_internet
permit tcp any host x.x.x.x eq http
permit tcp any host x.x.x.x eq https
I was talking to someone in work and he said to try an ACL with evaluate to reflect or dynamic. Not too sure what he means? have you any other ideas for the acl on Dialer 0 please
thanks for the help so far. Much appreciated.
Kevin
01-28-2010 01:56 PM
Hi Kevin
"
I applied the first ACL and i am still able to go out to the internet and also hit the internal webpage 192.168.2.100 from outside." - does this mean it should work the way , it should? You should be able to get out to the internet on port 80/https etc after applying the inbound ACL in VLAN 1 right ? Were you able too do FTP after putting the Inbound ACL ? what is the default gateway for your wireless users ?
With regards to Dialer 0 ACL, it would just allow access to the external NAT IPs on port 80 and 443.. you were previoulsy talking about port forwarding etc. where is that done ? It could just be due to the fact that your return traffic might get dropped when it comes back from the server.. just tto test, try removing inbound ACL and just have the from_internet ACL to test if it works good..
With regards to refleective ACL, the fact is it creates dynamic access-list entries when you have traffic originated from outside. you can probably refer the following URL to know more:
http://www.cisco.com/en/US/docs/ios/12_0/security/configuration/guide/sclock.html
Raj
02-03-2010 02:23 PM
Raj,
I have been working on this with a colleague in work and we think we have finally got it correct with an acl using the evaluate command:
evaluate WWWOUT
evaluate HTTPSOUT
evaluate DNSUDP
evaluate DNSTCP
interface Dialer0
description $FW_OUTSIDE$
ip address xx.xx.xx.xx
ip access-group d0_in in
ip access-group d0_out out
I have attached the latest config and also a sh ip nat tranlations just in case you have any comments or advice.
Kind regards for your help,
Kevin
PS if its working ok i think i'll quit when im ahead.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide