Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

access-list advice

Hi All,

I'm fairly new to the Cisco IOS and would like some advice.

I have a Cisco 806 used for a small business. I would like to setup an access-list that would allow all traffic from my internal network out (and replies to this traffic), but any traffic originating from the outside to be processed against an ACL.

My problem is that when I define an ACL it processes my traffic correctly from the outside but will not let any of my clients out.

I am applying this ACL to my External Interface with:

ip access-group 111 in

here is the list:

Any advice would be appreciated!

Thanks!

access-list 111 permit tcp any any eq 22

access-list 111 permit tcp any any eq telnet

access-list 111 permit tcp any any eq smtp

access-list 111 permit tcp any any eq ftp

access-list 111 permit tcp any any eq www

access-list 111 permit tcp any any eq 5000

access-list 111 permit tcp any any eq 5001

access-list 111 permit tcp any any eq 8080

access-list 111 permit icmp any any administratively-prohibited

access-list 111 permit icmp any any echo

access-list 111 permit icmp any any echo-reply

access-list 111 permit icmp any any packet-too-big

access-list 111 permit icmp any any time-exceeded

access-list 111 permit icmp any any traceroute

access-list 111 permit icmp any any unreachable

access-list 111 permit udp any eq bootps any eq bootpc

access-list 111 permit udp any eq bootps any eq bootps

access-list 111 permit udp any eq domain any

access-list 111 permit esp any any

access-list 111 permit udp any any eq isakmp

access-list 111 deny ip any any

2 REPLIES
Cisco Employee

Re: access-list advice

By putting the "eq www" or "eq ftp", etc on the end of the access-list line, you're saying that this is the DESTINATION port. This, as you've seen, will work fine for traffic originating from the outside. However, if someone on the inside browses to a www/ftp/smtp/whatever server on the outside, when their traffic returns, the SOURCE port will be the one that defines the protocol type. The DESTINATION port will be some random number that the originating PC used.

For TCP traffic, you're better off doing this:

access-list 111 permit tcp any any established

which says allow any TCP packet in that is part of an established session, allowing your packets originating from the inside to come back in. Unfortunately you can't do this with UDP cause there's no session per se, but it looks like TCP is the protocol you're primarily concerned with.

An even better wya to do this, although it'll cost you, is to purchase the FW feature set for your router, then configure CBAC (http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t5/iosfw2/iosfw2_2.htm), that'll be much more secure.

Cisco Employee

Re: access-list advice

Hi,

As you have said you are new to IOS, you dont you use the Cisco Router Web Setup tool- a built-in tool available in C806 for configuring your router?

For more info go to,

http://www.cisco.com/warp/public/cc/pd/nemnsw/rtwbto20/

Please let me know if you have any discrepancies in accessing the tool.

Thanks,

Ravikumar

94
Views
0
Helpful
2
Replies
CreatePlease to create content