Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Access-list configuration ??

Hi all,

I have just built a small private network, which consists of a couple of Windows 2000 servers, Windows 2000 Professional servers , and a Cisco 2514 series serving as router and simple firewall with access list setting. I intend to make the rule as follows:

- All computers in my private network can use web , FTP , Mail services ( openning port HTTP 80, 20 , 21, 25 )

- Prevent the Intetnet from access to private network, except opening port SMTP 25 only, for transferring messages between my network and outside world.

I think much about how to permit one-direction of data ( allow my netwok can use HTTP, FTP ) but deny other-direction from Internet to my network . I don't know how to write code for that.

And besides, I have been told that it 's more simple if we use parameter "ACK" ( a flag of connection initiation )

If anyone knows about this issue, please give sample codes for two cases:

1 - Access-list code for above rules without "ACK" bit

2 - Access-list code for the rules with "ACK" bit

and your comments ( I mean your comparison between two the above methods ).

Thanks very much for your help.

Tuong Vo Dai


Re: Access-list configuration ??

Apply the access-list inbound on your external (internet) interface.

1. access-list 101 permit tcp any eq 80 x.x.x.x gt 1026 (where x.x.x.x is your IP)

access-list 101 permit tcp any eq 21 x.x.x.x gt 1026

access-list 101 permit tcp any host x.x.x.y eq 25

This is because you will start the connection with a random port >1026 to port 80, and they will reply to you will a source of 80 but an unknown destination (ie it's random >1026). But you don't want to do this as it allows people to start the connection inbound to you. Very bad.

2. access-list 101 permit tcp any x.x.x.x est

access-list 101 permit tcp any eq 20 x.x.x.x (allow active ftp)

access-list 101 permit tcp any host x.x.x.y eq 25

This only allows connections with the ack bit set to enter your network. This means someone is replying to your connection. Prevents users from starting a connection in to your network. Much better than the above acl, but not perfect as someone can still get to your network if they alter packets to have the ack bit set, even though you didn't start a connection. But still better than the above acl.

Another option if you have the IOS firewall feature set you can use CBAC: and . CBAC checks packets to make sure they haven't been tampered with and only allows packets that were initiated from your internal network back in. Very effective and recommended.

Hope it helps.