Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

access-list

Hello All,

I have the access-list below on my router. When I do not put the permit any any on the inbound direction of my wan interface at the end of it I can not get internet service. Why is that? And if I put a permit any any to get the internet working but, does that leave me open for hackers on the internet?

access-list 101 permit tcp any host 10.100.1.12 eq ftp

access-list 101 permit tcp any host 10.100.1.12 eq 3389

access-list 101 permit ip any any

10 REPLIES
Blue

Re: access-list

Ike, baby!! Hows Tina???

At the end of all access lists is an implicit "deny any any". You dont see it, but its there.

To allow traffic that you have not specified in the other lines of the access-list, you would need the "permit ip any any" or, of course, just create more specific lines in the list.

HTH

Victor

New Member

Re: access-list

I am still giving her lefts and rights.

This is my new access list. Please let me know if this one is ok.

access-list 101 permit tcp any host 10.100.1.12 eq ftp

access-list 101 permit tcp any host 10.100.1.12 eq 3389

access-list 101 permit tcp any 10.100.1.0 0.0.0.255 established

Hall of Fame Super Silver

Re: access-list

Hello Charlie,

if the ACL is applied inbound your Wan interface to allow internet access you need a third line like

access-list 101 permit tcp any eq 80 10.100.1.0 0.0.0.255

this is because ACLs have an implicit deny any at the end.

depending on direction of traffic you need to match on source tcp ports instead of destination ports like in your two lines

Hope to help

Giuseppe

New Member

Re: access-list

Thanks,

I understand now however, now that I have applied the permit any any does that mean any traffic that originates from the internet can access my internal local network?

Blue

Re: access-list

Yes.

New Member

Re: access-list

Is there any easy way for me to allow all other traffic as long as it is requested from the inside local network and deny all traffic orginating from the outside? I saw something about an established command but don't fully understand it.

This is what I have now.

access-list 101 permit tcp any host 10.100.1.12 eq ftp

access-list 101 permit tcp any host 10.100.1.12 eq 3389

access-list 101 permit tcp any 10.100.1.0 0.0.0.255 established

Blue

Re: access-list

The established keyword implies that the packet has its "syn ack" bit set and is therefore a response to TCP traffic originated inside the network.

But that doesnt really help too much because a hacker could artificially create a "syn ack" packet and penetrate.

What you need is a firewall with stateful packet inspection capabilities, or perhaps a router with the firewall feature set.

Or you can use reflexive access lists, which are only available in certain IOS versions.

HTH

Victor

New Member

Re: access-list

I have a Cisco 2621XM with the Cisco advanceipservices on it. Maybe I can use the autosecure and firewall features on it.

Blue

Re: access-list

Read this link:

http://www.cisco.com/en/US/docs/ios/12_0t/12_0t3/feature/guide/fw7200.html

HTH

Rate all posts which you find helpful.

Victor

New Member

Re: access-list

Ok.I think I need to do more research on the established command.

230
Views
0
Helpful
10
Replies
CreatePlease to create content