I have got a cisco router which is port forwarding to an IIS server over the internet. I want to create an access-list to lock the cisco router down further. I want to create the following:
1 - users on the wireless lan can access any website going to the outside world but only to ports 80 and 443. So really i dont want anyone in the office to be able to go to file sharing websites over ftp etc.
2 - At present users from outside world can hit the following website address www.captrax2.niwater.com and they are forwarded to the webserver address 192.168.2.100 I want the access list to make sure thats all they can hit and no other devices on my wireless lan.
i have attached the config of the cisco router as it is today. I am hitting the web page ok so port forwarding is working.
I did try this access list but all it did was stop me hitting the webpage so i had to delete it again.
ip access-list extended OUTSIDE-IN
permit ip any 192.168.2.100 0.0.0.255 reflect TO_REFLECT
I applied the first ACL and i am still able to go out to the internet and also hit the internal webpage 192.168.2.100 from outside.
ip access-list extended to_internet
permit tcp 192.168.2.0 0.0.0.255 any eq 80 log
permit tcp 192.168.2.0 0.0.0.255 any eq https log
permit udp 192.168.2.0 0.0.0.255 any eq 53 log
deny ip any any
i put in log to see whats going on as well. But when i applied the Dialer0 ACL below i can no longer go out to the internet while i have another laptop on the same wireless router and i also cant hit the webpage from the outside.
ip access-list from_internet
permit tcp any host x.x.x.x eq http
permit tcp any host x.x.x.x eq https
I was talking to someone in work and he said to try an ACL with evaluate to reflect or dynamic. Not too sure what he means? have you any other ideas for the acl on Dialer 0 please
I applied the first ACL and i am still able to go out to the internet and also hit the internal webpage 192.168.2.100 from outside." - does this mean it should work the way , it should? You should be able to get out to the internet on port 80/https etc after applying the inbound ACL in VLAN 1 right ? Were you able too do FTP after putting the Inbound ACL ? what is the default gateway for your wireless users ?
With regards to Dialer 0 ACL, it would just allow access to the external NAT IPs on port 80 and 443.. you were previoulsy talking about port forwarding etc. where is that done ? It could just be due to the fact that your return traffic might get dropped when it comes back from the server.. just tto test, try removing inbound ACL and just have the from_internet ACL to test if it works good..
With regards to refleective ACL, the fact is it creates dynamic access-list entries when you have traffic originated from outside. you can probably refer the following URL to know more:
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.