https://community.cisco.com/t5/network-security/acl-configuration/m-p/1618663#M558981 <HTML><HEAD></HEAD><BODY><P>Thanks a lot for your answer.</P><P></P><P>I will try it and mark the post answered if it works.</P></BODY></HTML> Tue, 29 Mar 2011 15:31:11 GMT genseb13011 2011-03-29T15:31:11Z https://community.cisco.com/t5/network-security/acl-configuration/m-p/1618661#M558976 <P>Hi,</P><P></P><P>I would like to replace my firewall by using ACL on my Cisco 881 for testing.</P><P></P><P>Could it be possible?</P><P></P><P><SPAN style="text-decoration: underline;">Configuration:</SPAN></P><P></P><P>access-list <EM>n°</EM> permit ip host <EM>distant_site_public_IP</EM> host <EM>my_public_IP</EM></P><P>access-list <EM>n°</EM> permit tcp any host <EM>my_public_IP </EM>eq <EM>port</EM></P><P></P><P>This configuration works fine for SSH in exemple.</P><P></P><P>I can't allow "web pages" flow!!!</P><P>When i put: access-list <EM>n°</EM> permit tcp any host <EM>my_public_IP </EM>eq <EM>www</EM></P><P>It does'nt work.</P><P></P><P>With Wireshark, I've seen that random ports are used to set the "http connexion".</P><P></P><P>How could I resolve it keeping the best security configuration?</P><P></P><P>I place my ACL on WAN port.</P><P>Maybe I have to place it on LAN or create others ACL list to complete the configuration? </P><P></P><P>thanks for your answers.</P> Mon, 11 Mar 2019 20:14:16 GMT https://community.cisco.com/t5/network-security/acl-configuration/m-p/1618661#M558976 genseb13011 2019-03-11T20:14:16Z https://community.cisco.com/t5/network-security/acl-configuration/m-p/1618662#M558979 <HTML><HEAD></HEAD><BODY><P>Hi Sebastien,</P><P></P><P>If I understand correctly, you are trying to permit replies from web sites on the WAN interface.</P><P></P><P>The access-list would look something like:</P><P>access-list <EM>n°</EM> permit tcp any eq www <EM>host my_public_IP</EM></P><P>access-list <EM>n°</EM> permit tcp any eq https <EM>host my_public_IP</EM></P><P></P><P>Provided that all internal hosts are being PAT to<EM> my_public_ip</EM></P><P></P><P>Alternately,&nbsp; you also have the option of configuring an IOS firewall (CBAC or ZBF)&nbsp; on routers, which will allow replies to outgoing connections.</P><P></P><P>Configuration guides:</P><P><SPAN>CBAC: </SPAN><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/ios/12_0/security/configuration/guide/sccbac.html">http://www.cisco.com/en/US/docs/ios/12_0/security/configuration/guide/sccbac.html</A></P><P><SPAN>ZBF: </SPAN><A class="jive-link-external-small" href="http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml">http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml</A></P><P></P><P>I hope this helps.</P><P></P><P>-Shrikant</P><P></P><P><SPAN style="font-size: 8pt;">PS: Kindly mark the post answered if your question is answered, and kindly rate helpful posts. Thanks.<BR /> </SPAN></P></BODY></HTML> Tue, 29 Mar 2011 14:48:10 GMT https://community.cisco.com/t5/network-security/acl-configuration/m-p/1618662#M558979 Shrikant Sundaresh 2011-03-29T14:48:10Z https://community.cisco.com/t5/network-security/acl-configuration/m-p/1618663#M558981 <HTML><HEAD></HEAD><BODY><P>Thanks a lot for your answer.</P><P></P><P>I will try it and mark the post answered if it works.</P></BODY></HTML> Tue, 29 Mar 2011 15:31:11 GMT https://community.cisco.com/t5/network-security/acl-configuration/m-p/1618663#M558981 genseb13011 2011-03-29T15:31:11Z