topic ACL issue & DOS attack in Network Security https://community.cisco.com/t5/network-security/acl-issue-dos-attack/m-p/1686691#M529635 <P>I have the specified configurations on my 2821 router</P><P></P><P>interface FastEthernet0/0</P><P> ip address 66.x.x.x 255.255.255.248</P><P>&nbsp; ip access-group INBOUND in</P><P>&nbsp; no ip redirects</P><P>&nbsp; ip nbar protocol-discovery</P><P>&nbsp; ip inspect fw out</P><P>&nbsp; speed 100</P><P>&nbsp; full-duplex</P><P>&nbsp; service-policy input FTP-QoS</P><P>&nbsp; service-policy output FTP-QoS</P><P></P><P><STRONG>Following is the fw desctiption applied on outbound direction.</STRONG></P><P></P><P>&nbsp; ip inspect name fw dns</P><P>&nbsp; ip inspect name fw tcp</P><P>&nbsp; ip inspect name fw udp</P><P>&nbsp; ip inspect name fw icmp</P><P>&nbsp; ip inspect name fw ftp</P><P>&nbsp; ip inspect name fw http</P><P>&nbsp; ip inspect name fw https</P><P>&nbsp; ip inspect name fw pop3</P><P>&nbsp; ip inspect name fw imap3</P><P>&nbsp; ip inspect name fw ntp</P><P>&nbsp; ip inspect name fw ftps</P><P>&nbsp; ip inspect name fw isakmp</P><P>&nbsp; ip inspect name fw ipsec-msft</P><P>&nbsp; ip inspect name fw l2tp</P><P></P><P><STRONG>Inbound ACL Description.</STRONG></P><P></P><P> Extended IP access list INBOUND</P><P>100 permit tcp any host 66.x.x.x eq 22 log (51 matches)</P><P> 110 permit tcp any 209.x.x.0 0.0.0.255 eq 10111 log (9089431 matches)</P><P> 120 permit tcp any 209.x.x.0 0.0.0.255 eq 10112 log</P><P> 130 permit tcp any 209.x.x.0 0.0.0.255 eq 10113 log (11781 matches)</P><P> 140 permit tcp any 209.x.x.0 0.0.0.255 eq 10311 log (800041 matches)</P><P> 150 permit tcp any 209.x.x.0 0.0.0.255 eq 10313 log (1423114 matches)</P><P> 160 permit tcp any 209.x.x.0 0.0.0.255 eq 10315 log</P><P>&nbsp; 170 permit tcp any 209.x.x.0 0.0.0.255 eq 10316 log</P><P>&nbsp; 180 permit tcp any 209.x.x.0 0.0.0.255 eq 10321 log (417 matches)</P><P> 1700 permit tcp any any established log (175963 matches)</P><P>&nbsp; 1710 permit icmp any any echo-reply log (1 match)</P><P>&nbsp;&nbsp; 1720 deny ip any any log (211516 matches)</P><P></P><P>I have recently attacked by a DOS attack in which source port was 80 , is there any issues with my configs . As according to the above configs port 80 isnt allowed in .</P><P></P><P>Can any one please confirm.</P><P></P><P>Thanks</P> Mon, 11 Mar 2019 20:48:17 GMT imranraheel 2019-03-11T20:48:17Z ACL issue & DOS attack https://community.cisco.com/t5/network-security/acl-issue-dos-attack/m-p/1686691#M529635 <P>I have the specified configurations on my 2821 router</P><P></P><P>interface FastEthernet0/0</P><P> ip address 66.x.x.x 255.255.255.248</P><P>&nbsp; ip access-group INBOUND in</P><P>&nbsp; no ip redirects</P><P>&nbsp; ip nbar protocol-discovery</P><P>&nbsp; ip inspect fw out</P><P>&nbsp; speed 100</P><P>&nbsp; full-duplex</P><P>&nbsp; service-policy input FTP-QoS</P><P>&nbsp; service-policy output FTP-QoS</P><P></P><P><STRONG>Following is the fw desctiption applied on outbound direction.</STRONG></P><P></P><P>&nbsp; ip inspect name fw dns</P><P>&nbsp; ip inspect name fw tcp</P><P>&nbsp; ip inspect name fw udp</P><P>&nbsp; ip inspect name fw icmp</P><P>&nbsp; ip inspect name fw ftp</P><P>&nbsp; ip inspect name fw http</P><P>&nbsp; ip inspect name fw https</P><P>&nbsp; ip inspect name fw pop3</P><P>&nbsp; ip inspect name fw imap3</P><P>&nbsp; ip inspect name fw ntp</P><P>&nbsp; ip inspect name fw ftps</P><P>&nbsp; ip inspect name fw isakmp</P><P>&nbsp; ip inspect name fw ipsec-msft</P><P>&nbsp; ip inspect name fw l2tp</P><P></P><P><STRONG>Inbound ACL Description.</STRONG></P><P></P><P> Extended IP access list INBOUND</P><P>100 permit tcp any host 66.x.x.x eq 22 log (51 matches)</P><P> 110 permit tcp any 209.x.x.0 0.0.0.255 eq 10111 log (9089431 matches)</P><P> 120 permit tcp any 209.x.x.0 0.0.0.255 eq 10112 log</P><P> 130 permit tcp any 209.x.x.0 0.0.0.255 eq 10113 log (11781 matches)</P><P> 140 permit tcp any 209.x.x.0 0.0.0.255 eq 10311 log (800041 matches)</P><P> 150 permit tcp any 209.x.x.0 0.0.0.255 eq 10313 log (1423114 matches)</P><P> 160 permit tcp any 209.x.x.0 0.0.0.255 eq 10315 log</P><P>&nbsp; 170 permit tcp any 209.x.x.0 0.0.0.255 eq 10316 log</P><P>&nbsp; 180 permit tcp any 209.x.x.0 0.0.0.255 eq 10321 log (417 matches)</P><P> 1700 permit tcp any any established log (175963 matches)</P><P>&nbsp; 1710 permit icmp any any echo-reply log (1 match)</P><P>&nbsp;&nbsp; 1720 deny ip any any log (211516 matches)</P><P></P><P>I have recently attacked by a DOS attack in which source port was 80 , is there any issues with my configs . As according to the above configs port 80 isnt allowed in .</P><P></P><P>Can any one please confirm.</P><P></P><P>Thanks</P> Mon, 11 Mar 2019 20:48:17 GMT https://community.cisco.com/t5/network-security/acl-issue-dos-attack/m-p/1686691#M529635 imranraheel 2019-03-11T20:48:17Z ACL issue & DOS attack https://community.cisco.com/t5/network-security/acl-issue-dos-attack/m-p/1686692#M529638 <HTML><HEAD></HEAD><BODY><P>Your FW is inspecting all outgoing http traffic so that return packets are allowed through the acl applied inbound on the interface. The return packets will have the source port of 80 so its possible that if there is man-in-the middle attacks somebody hijacks the initial connection going on destination port 80 and responds with source port of 80. </P></BODY></HTML> Thu, 23 Jun 2011 22:45:10 GMT https://community.cisco.com/t5/network-security/acl-issue-dos-attack/m-p/1686692#M529638 andhingr 2011-06-23T22:45:10Z