Trying to set up Access-List that only permits Ports 21 (FTP), 25 (SMTP), 80 (HTTP), 110 (POP3), and 3389 (MS-Terminal Server). Will want packets for all other ports to be denied by default. However, this config denies web browsing. I assumed that Permit on Port 80 would allow these packets. Which Port should I be using?
When your internal clients go out over the Internet to an HTTP server, they choose a random source TCP port and use the destination port of 80, so when the return traffic comes back to the host from the web server on the Internet, the web server uses a source port of 80 and a destination port equal to that random TCP port your internal host chose. Since you blocking access to that random port, communciation fails. The solution is to configure your access-list entry with the "established" keyword:
access-list 110 permit tcp any any established
This will allow all TCP return traffic that was initiated from inside your network.
Are you applying the access list to inbound or outbound traffic, or do you have access lists for both? On a serial interface, or on the LAN interface?
Is this to permit access from the Internet to FTP, SMTP/POP3, HTTP, and MS-TermServ servers on your network? Or are you trying to permit users on your network to only access those kinds of servers out on the Internet?
Without more information, I can only guess that your access list is somehow denying the web clients, whose port numbers are generally >1023. Possibly the order in which the IP addresses, masks, and port numbers are specified in the ACL are reversed with regard to which direction the traffic is being filtered across the interface. May also be an issue with using the "established" parameter.
Any chance you can post the ACLs and interface configurations in question, substituting some dummy numbers for any public IP addresses?
The interface is to our ISP. On the Serial Interface(A WIC 1T) I set the following:
ip access-group 100 in
When I attach this access list to the serial interface, I can no longer connect to our external mail server, or connect to web sites. The permit for terminal server clients (Port 3389) does work, however.
It seems like your computers can't do DNS resolution, which will keep them from resolving a URL to an IP address. DNS requests are probably going out, but your access-list is not permitting the replies to come back in.
Standard DNS name-to-IP-address resolution uses UDP port 53 on the server; Cisco IOS will show it as "domain". Depending on whether your network's computers utilize an in-house DNS server, or DNS servers at your ISP, add one or the other of these lines to your inbound access list:
If all your computers use an in-house DNS server, then
access-list 100 permit udp any eq 53 host YourDNSserver'sIPaddress
If your computers act as clients to your ISP's DNS servers, then
access-list 100 permit udp any eq 53 any
This will allow your computers to query DNS to resolve a Web site's URL or the external mail server's name to an IP address.
A useful trick to see if anything else is being inadvertently blocked by your access list, is to make explicit the implicit "deny all" at the end of the list, and log the denials. Put this at the very end of your access-list:
access-list 100 deny ip any any log
This will deny all TCP, UDP, and ICMP activity inbound that you have not already permitted in previous access-list commands, and log it for you to review. You can log to the router's console, or to a syslog server. Check to see if something else you need is being denied.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...