The problem is not with the webserver. The webserver is responding just the way it should; using tcp 80 as the source port and the client's port as the destination port. The problem is with the way you have configured and applied the access-list. Usually in order to protect your internal LAN you apply a restrictive access-list on the outside interface in inbound direction. That way you can allow access to port 80 for your webserver but deny access to all other internal hosts.
My recommendation is to only have a non-spoofing access-list on your inside interface and have a more restrictive access-list on the outside interface. An example is:
ip access-list extended inside
permit ip 192.168.100.0 0.0.0.255 any
permit ip 192.168.101.0 0.0.0.255 any
deny ip any any log
ip access-list extended outside
permit tcp any 192.168.100.0 0.0.0.255 established
permit tcp any 192.168.101.0 0.0.0.255 established
permit udp any eq dns 192.168.100.0 0.0.0.255
permit udp any eq dns 192.168.101.0 0.0.0.255
permit tcp any host 212.110.x.y eq www
permit tcp any host 212.110.x.y eq ssh
This ACL might break some applications so you have to do some fine tuning after applying it inbound on Dialer0. You can put a deny ip any any log statement at the end of the outside ACL to see if legitimate traffic is being denied and if it is then add the respective entry in the ACL.
If you want to stick with your ACL then you do not have much choice but to add a statement of this sort:
access-list 101 permit tcp host 192.168.100.253 eq www any
Normally I manage Pix IOS,so in router environment I don't have much familiarity, but opening all outbound connections on eth0 and permit tcp established incoming on dialer 0..couldn't it be dangerous?
I agree about my much restrictive ACL , and as you can see, port 80 is free to run,but it seems to need other ports in order to answer client's request.
Well you can make your inside ACL restrictive by letting your inside users access only services they are supposed to access; I am not against doing that as long as you have a policy stating what is and what is not allowed.
For the outside ACL there is not much you can do other than permitting all access to port 80 of your webserver. The normal security practice is to put such machines in a DMZ in order to limit the impact of a security incident. If you have the option of enabling IOS FW service on your router I will recommend that as it will ease up a lot of things.
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.