Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
293
Views
0
Helpful
3
Replies

A Little Help W/ an ACL

Go to solution
anthonyherbz
Level 1
Level 1

‎03-28-2015 08:13 PM - edited ‎03-11-2019 10:42 PM

Hey all. I'm having a little trouble making an ACL (or two) for a sample situation. So here is the topology: 

And here is my ACL:

access-list 101 permit icmp any any echo

access-list 101 permit icmp any any echo-reply

access-list 101 permit tcp any host 192.168.40.14 eq www

access-list 101 permit tcp any host 192.168.40.14 eq 443

access-list 101 permit udp any host 192.168.40.10 eq domain

access-list 101 permit tcp any host 192.168.40.12 eq pop3

access-list 101 permit tcp any host 192.168.40.12 eq smtp

access-list 101 permit tcp any host 192.168.40.100 eq ftp

 

 

ip access-group 101 in on f0/1

 

Now this ACL is successful in protecting against traffic coming from external sources. However, I could use some advice on allowing internet (HTTP, HTTPS, DNS) from internal hosts. I've been trying for awhile and just can't quite nail it down. All help is greatly appreciated!

 

P.S. - Please no suggestions on Zone-Based firewalls. Those are definitely preferred, but I need this for a specific instance! 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎03-29-2015 04:37 AM

I assume, Fa0/1 is the external interface of the 2811?

And you say that you don't wan't ZBF. Do you mean with that that you don't want a firewall-feature at all? This scenario really should be configured with a firewall. And if you don't want to use ZBF because of it's complexity, there is still CBAC:

ip inspect name FW tcp router-traffic
ip inspect name FW udp router-traffic
ip inspect name FW ftp
ip inspect name FW icmp router-traffic
!
interface Fast 0/1
 ip inspect FW out
 ip inspect FW in

 

If you really don't want a firewall-feature, you have to allow the return-traffic in your ACL 101. For HTTP-traffic, it would be

access-list 101 permit tcp any eq 80 any established

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
anthonyherbz
Level 1
Level 1

‎03-28-2015 08:15 PM

If more information about the topology is required, I will happily update it!

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎03-29-2015 04:37 AM

I assume, Fa0/1 is the external interface of the 2811?

And you say that you don't wan't ZBF. Do you mean with that that you don't want a firewall-feature at all? This scenario really should be configured with a firewall. And if you don't want to use ZBF because of it's complexity, there is still CBAC:

ip inspect name FW tcp router-traffic
ip inspect name FW udp router-traffic
ip inspect name FW ftp
ip inspect name FW icmp router-traffic
!
interface Fast 0/1
 ip inspect FW out
 ip inspect FW in

 

If you really don't want a firewall-feature, you have to allow the return-traffic in your ACL 101. For HTTP-traffic, it would be

access-list 101 permit tcp any eq 80 any established

 

0 Helpful

Go to solution
anthonyherbz
Level 1
Level 1
In response to Karsten Iwen

‎03-29-2015 07:33 AM

Both of your answers are awesome. The second one is more in line with what I was looking for. In the scenario I'm trying to teach, the hardware that was in use could not support ZBF, or most firewalling features just yet, and this is a handy alternative in case that appears again. Really appreciate it!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card