Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9932
Views
0
Helpful
6
Replies

Access List-Permit Port 80

jmhtech
Level 1
Level 1

‎09-26-2003 11:03 AM - edited ‎03-02-2019 10:37 AM

Trying to set up Access-List that only permits Ports 21 (FTP), 25 (SMTP), 80 (HTTP), 110 (POP3), and 3389 (MS-Terminal Server). Will want packets for all other ports to be denied by default. However, this config denies web browsing. I assumed that Permit on Port 80 would allow these packets. Which Port should I be using?

Config is on Cisco 2620 IOS 12

Thanks. Joseph Hart

1 person had this problem
Labels:
0 Helpful
6 Replies 6

jamey
Level 4
Level 4

‎09-26-2003 11:47 AM

When your internal clients go out over the Internet to an HTTP server, they choose a random source TCP port and use the destination port of 80, so when the return traffic comes back to the host from the web server on the Internet, the web server uses a source port of 80 and a destination port equal to that random TCP port your internal host chose. Since you blocking access to that random port, communciation fails. The solution is to configure your access-list entry with the "established" keyword:

access-list 110 permit tcp any any established

This will allow all TCP return traffic that was initiated from inside your network.

-HTH

0 Helpful

jmhtech
Level 1
Level 1
In response to jamey

‎09-26-2003 12:42 PM

Thanks for your reply. I tried your suggestion without success. Here's my access list entries:

access-list 100 permit tcp any any eq 21

access-list 100 permit tcp any any eq 25

access-list 100 permit tcp any any eq 3389

access-list 100 permit tcp any any established

The interface is to our ISP. On the Serial Interface(A WIC 1T) I set the following:

ip access-group 100 in

When I do this, I can no longer receive email or connect to web sites. The permit for terminal server clients (Port 3389) does work, however.

What am I missing?

Thanks.

Joe Hart

0 Helpful

konigl
Level 7
Level 7

‎09-26-2003 11:56 AM

Are you applying the access list to inbound or outbound traffic, or do you have access lists for both? On a serial interface, or on the LAN interface?

Is this to permit access from the Internet to FTP, SMTP/POP3, HTTP, and MS-TermServ servers on your network? Or are you trying to permit users on your network to only access those kinds of servers out on the Internet?

Without more information, I can only guess that your access list is somehow denying the web clients, whose port numbers are generally >1023. Possibly the order in which the IP addresses, masks, and port numbers are specified in the ACL are reversed with regard to which direction the traffic is being filtered across the interface. May also be an issue with using the "established" parameter.

Any chance you can post the ACLs and interface configurations in question, substituting some dummy numbers for any public IP addresses?

0 Helpful

jmhtech
Level 1
Level 1
In response to konigl

‎09-26-2003 12:47 PM

Here's my access list configuration.

access-list 100 permit tcp any any eq 21

access-list 100 permit tcp any any eq 25

access-list 100 permit tcp any any eq 3389

access-list 100 permit tcp any any established

The interface is to our ISP. On the Serial Interface(A WIC 1T) I set the following:

ip access-group 100 in

When I attach this access list to the serial interface, I can no longer connect to our external mail server, or connect to web sites. The permit for terminal server clients (Port 3389) does work, however.

I'm sure this is something very basic.

Thanks for your help.

Joe Hart

0 Helpful

konigl
Level 7
Level 7
In response to jmhtech

‎09-26-2003 09:40 PM

It seems like your computers can't do DNS resolution, which will keep them from resolving a URL to an IP address. DNS requests are probably going out, but your access-list is not permitting the replies to come back in.

Standard DNS name-to-IP-address resolution uses UDP port 53 on the server; Cisco IOS will show it as "domain". Depending on whether your network's computers utilize an in-house DNS server, or DNS servers at your ISP, add one or the other of these lines to your inbound access list:

If all your computers use an in-house DNS server, then

access-list 100 permit udp any eq 53 host YourDNSserver'sIPaddress

If your computers act as clients to your ISP's DNS servers, then

access-list 100 permit udp any eq 53 any

This will allow your computers to query DNS to resolve a Web site's URL or the external mail server's name to an IP address.

A useful trick to see if anything else is being inadvertently blocked by your access list, is to make explicit the implicit "deny all" at the end of the list, and log the denials. Put this at the very end of your access-list:

access-list 100 deny ip any any log

This will deny all TCP, UDP, and ICMP activity inbound that you have not already permitted in previous access-list commands, and log it for you to review. You can log to the router's console, or to a syslog server. Check to see if something else you need is being denied.

Hope this helps.

0 Helpful

jmhtech
Level 1
Level 1
In response to konigl

‎09-27-2003 06:17 AM

I will certainly give this a try. We're using internal DNS with Windows 2000. I think this may do the trick.

Thanks for all of your help.

Regards,

Joe Hart

0 Helpful
Customers Also Viewed These Support Documents