ACL configuration

genseb13011 · ‎03-29-2011

Hi,

I would like to replace my firewall by using ACL on my Cisco 881 for testing.

Could it be possible?

Configuration:

access-list n° permit ip host distant_site_public_IP host my_public_IP

access-list n° permit tcp any host my_public_IP eq port

This configuration works fine for SSH in exemple.

I can't allow "web pages" flow!!!

When i put: access-list n° permit tcp any host my_public_IP eq www

It does'nt work.

With Wireshark, I've seen that random ports are used to set the "http connexion".

How could I resolve it keeping the best security configuration?

I place my ACL on WAN port.

Maybe I have to place it on LAN or create others ACL list to complete the configuration?

thanks for your answers.

Shrikant Sundaresh · ‎03-29-2011

Hi Sebastien,

If I understand correctly, you are trying to permit replies from web sites on the WAN interface.

The access-list would look something like:

access-list n° permit tcp any eq www host my_public_IP

access-list n° permit tcp any eq https host my_public_IP

Provided that all internal hosts are being PAT to my_public_ip

Alternately, you also have the option of configuring an IOS firewall (CBAC or ZBF) on routers, which will allow replies to outgoing connections.

Configuration guides:

I hope this helps.

-Shrikant

PS: Kindly mark the post answered if your question is answered, and kindly rate helpful posts. Thanks.

genseb13011 · ‎03-29-2011

Thanks a lot for your answer.

I will try it and mark the post answered if it works.