cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
792
Views
0
Helpful
3
Replies

ip access-group in or out on two port 2500

jsigman
Level 1
Level 1

Router:

One Serial port (Internet Connected)

One Ethernet port (Internally connected)

IOS 10.3(2)

Will upgrade IOS in three months, but no financial resources now. Will implement true firewall at same time, but for the time being we need to filter traffic with the resources we have.

We have determined that we want to filter (drop) packets that are inbound from the Internet that do not provide support for ports 20, 21, 22, 25, 53, & 80, directed at specific hosts. Whether we apply the access list on the serial interface inbound or outbound we block outbound traffic from the internal network like http, dns, which is not the desired result. Of course the addresses below are just examples and not real. Please advise on how to overcome this issue? Do we have to apply rules for outbound to Internet communication too?

access-list 169 permit tcp any 56.115.78.5 0.0.0.255 eq 20

access-list 169 permit udp any 56.115.78.5 0.0.0.255 eq 20

access-list 169 permit tcp any 56.115.78.5 0.0.0.255 eq 21

access-list 169 permit udp any 56.115.78.5 0.0.0.255 eq 21

access-list 169 permit tcp any 56.115.78.8 0.0.0.255 eq 22

access-list 169 permit tcp any 56.115.78.3 0.0.0.255 eq 53

access-list 169 permit udp any 56.115.78.3 0.0.0.255 eq 53

access-list 169 permit tcp any 56.115.78.7 0.0.0.255 eq 80

access-list 169 deny icmp any any redirect

access-list 169 deny ip 127.0.0.0 0.255.255.255 any

access-list 169 deny ip 224.0.0.0 0.255.255.255 any

access-list 169 deny any any log

Interface S0

ip access-group 169 ( in or out)?????

3 Replies 3

mmellet
Level 3
Level 3

Take a look at this document to get a clear understanding of ACL’s before applying them: http://www.cisco.com/warp/public/105/acl_wp.html

robert.hyde
Level 1
Level 1

The first thing I would try is to add this command to your access list:

access-list 169 permit tcp any any established

But add it to the TOP of your access list, which means removing the whole thing and then pasting it back in with that command first.

Then apply your access list with "ip access-group 169 in"

The established means that any incoming packets with the ack bit set will be allowed inbound to your network. And they will only have the ack bit set if they are the reply to a request that originated from the inside. So if a pc from the inside sends a request packet out to the internet, the reply will be allowed back in.

This should do the trick, the only other items I have really seen is needing to open up the ports for pop3 and smtp, that is about it... If that doesn't do it, we may need some specifics.

Good luck!

ali-franks
Level 1
Level 1

Apply the acl inbound on your S0 and try preceding your first acl statement with:

access-list 169 permit tcp any 56.115.78.0 0.0.0.255 established

This allows TCP sessions initiated from your LAN to establish.

I guess you are natting and have static NAT statements in place for your specific hosts?

Ali