03-29-2011 07:04 AM - edited 03-11-2019 01:14 PM
Hi,
I would like to replace my firewall by using ACL on my Cisco 881 for testing.
Could it be possible?
Configuration:
access-list n° permit ip host distant_site_public_IP host my_public_IP
access-list n° permit tcp any host my_public_IP eq port
This configuration works fine for SSH in exemple.
I can't allow "web pages" flow!!!
When i put: access-list n° permit tcp any host my_public_IP eq www
It does'nt work.
With Wireshark, I've seen that random ports are used to set the "http connexion".
How could I resolve it keeping the best security configuration?
I place my ACL on WAN port.
Maybe I have to place it on LAN or create others ACL list to complete the configuration?
thanks for your answers.
03-29-2011 07:48 AM
Hi Sebastien,
If I understand correctly, you are trying to permit replies from web sites on the WAN interface.
The access-list would look something like:
access-list n° permit tcp any eq www host my_public_IP
access-list n° permit tcp any eq https host my_public_IP
Provided that all internal hosts are being PAT to my_public_ip
Alternately, you also have the option of configuring an IOS firewall (CBAC or ZBF) on routers, which will allow replies to outgoing connections.
Configuration guides:
CBAC: http://www.cisco.com/en/US/docs/ios/12_0/security/configuration/guide/sccbac.html
ZBF: http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
I hope this helps.
-Shrikant
PS: Kindly mark the post answered if your question is answered, and kindly rate helpful posts. Thanks.
03-29-2011 08:31 AM
Thanks a lot for your answer.
I will try it and mark the post answered if it works.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide