Will upgrade IOS in three months, but no financial resources now. Will implement true firewall at same time, but for the time being we need to filter traffic with the resources we have.
We have determined that we want to filter (drop) packets that are inbound from the Internet that do not provide support for ports 20, 21, 22, 25, 53, & 80, directed at specific hosts. Whether we apply the access list on the serial interface inbound or outbound we block outbound traffic from the internal network like http, dns, which is not the desired result. Of course the addresses below are just examples and not real. Please advise on how to overcome this issue? Do we have to apply rules for outbound to Internet communication too?
access-list 169 permit tcp any 18.104.22.168 0.0.0.255 eq 20
access-list 169 permit udp any 22.214.171.124 0.0.0.255 eq 20
access-list 169 permit tcp any 126.96.36.199 0.0.0.255 eq 21
access-list 169 permit udp any 188.8.131.52 0.0.0.255 eq 21
access-list 169 permit tcp any 184.108.40.206 0.0.0.255 eq 22
access-list 169 permit tcp any 220.127.116.11 0.0.0.255 eq 53
access-list 169 permit udp any 18.104.22.168 0.0.0.255 eq 53
access-list 169 permit tcp any 22.214.171.124 0.0.0.255 eq 80
access-list 169 deny icmp any any redirect
access-list 169 deny ip 127.0.0.0 0.255.255.255 any
access-list 169 deny ip 126.96.36.199 0.255.255.255 any
The first thing I would try is to add this command to your access list:
access-list 169 permit tcp any any established
But add it to the TOP of your access list, which means removing the whole thing and then pasting it back in with that command first.
Then apply your access list with "ip access-group 169 in"
The established means that any incoming packets with the ack bit set will be allowed inbound to your network. And they will only have the ack bit set if they are the reply to a request that originated from the inside. So if a pc from the inside sends a request packet out to the internet, the reply will be allowed back in.
This should do the trick, the only other items I have really seen is needing to open up the ports for pop3 and smtp, that is about it... If that doesn't do it, we may need some specifics.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :