03-28-2015 08:13 PM - edited 03-11-2019 10:42 PM
Hey all. I'm having a little trouble making an ACL (or two) for a sample situation. So here is the topology:
And here is my ACL:
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit tcp any host 192.168.40.14 eq www
access-list 101 permit tcp any host 192.168.40.14 eq 443
access-list 101 permit udp any host 192.168.40.10 eq domain
access-list 101 permit tcp any host 192.168.40.12 eq pop3
access-list 101 permit tcp any host 192.168.40.12 eq smtp
access-list 101 permit tcp any host 192.168.40.100 eq ftp
ip access-group 101 in on f0/1
Now this ACL is successful in protecting against traffic coming from external sources. However, I could use some advice on allowing internet (HTTP, HTTPS, DNS) from internal hosts. I've been trying for awhile and just can't quite nail it down. All help is greatly appreciated!
P.S. - Please no suggestions on Zone-Based firewalls. Those are definitely preferred, but I need this for a specific instance!
Solved! Go to Solution.
03-29-2015 04:37 AM
I assume, Fa0/1 is the external interface of the 2811?
And you say that you don't wan't ZBF. Do you mean with that that you don't want a firewall-feature at all? This scenario really should be configured with a firewall. And if you don't want to use ZBF because of it's complexity, there is still CBAC:
ip inspect name FW tcp router-traffic ip inspect name FW udp router-traffic ip inspect name FW ftp ip inspect name FW icmp router-traffic ! interface Fast 0/1 ip inspect FW out ip inspect FW in
If you really don't want a firewall-feature, you have to allow the return-traffic in your ACL 101. For HTTP-traffic, it would be
access-list 101 permit tcp any eq 80 any established
03-28-2015 08:15 PM
If more information about the topology is required, I will happily update it!
03-29-2015 04:37 AM
I assume, Fa0/1 is the external interface of the 2811?
And you say that you don't wan't ZBF. Do you mean with that that you don't want a firewall-feature at all? This scenario really should be configured with a firewall. And if you don't want to use ZBF because of it's complexity, there is still CBAC:
ip inspect name FW tcp router-traffic ip inspect name FW udp router-traffic ip inspect name FW ftp ip inspect name FW icmp router-traffic ! interface Fast 0/1 ip inspect FW out ip inspect FW in
If you really don't want a firewall-feature, you have to allow the return-traffic in your ACL 101. For HTTP-traffic, it would be
access-list 101 permit tcp any eq 80 any established
03-29-2015 07:33 AM
Both of your answers are awesome. The second one is more in line with what I was looking for. In the scenario I'm trying to teach, the hardware that was in use could not support ZBF, or most firewalling features just yet, and this is a handy alternative in case that appears again. Really appreciate it!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide