cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6541
Views
0
Helpful
14
Replies

Access list for www traffic

haughjd
Level 1
Level 1

I have a Cisco router on our network LAN, but also the WAN.   Using NAT overload, PCs on the LAN who have a default gw of the Cisco router are able to access the internet.  But think I should add a access-group to my outside interface.  I've done that now, but users cant access the internet anymore.  I've tried:

permit tcp any any eq www

that didn't work on its own.   So then I tried

permit ip any any

that works but whats the point of having a hole that large. 

Just need to understand what I should allow in for web traffic.

Thanks,

Jon

14 Replies 14

grinch182
Level 1
Level 1

Users probably use not only 80's port to reach web resources out of your network. Try to add 443 port too.

If they use external DNS servers 53rd port also should be permited.

Sincerely,

GRinch

garapoglou
Level 3
Level 3

Hi,

You should make an ACL denying known vulnerable ports and IP addresses while its last line is the one you already have which permits ip from any source to any destination.

This ACL will be added to the outside interface having inside direction.

Each time something new comes up (let's say you need to deny access to a specific URL) you add it to the ACL keeping the last line unchanged.

Best regards,

Giorgos

ive got an ACL on my outside interface with inside direction.

so far its saying:

permit udp any any

permit tcp any any eq www

permit tcp any any eq 443

permit tcp any any eq domain

then its my understanding that their is an implicit deny at the end.  

This doesnt work.  my users can not access the internet.  only when ip open the ACL further with a

permit tcp any any

this sound a bit too much open to me, i might be wrong.

Is it related to the fact that i'm also using NAT Overload?

Jon

Hello,

you should implement this ACL to outside direction on your outside interface

Sincerely,

GRinch

Hi,

The ACL you have must be implemented on the outside interface to outside direction as GRinch said. If you tried the ACL on my example, it should be implemented on the outside interface to inside direction.

But let's just check your ACL.

First of all, you need to permit both TCP and UDP on port 53. Same thing for port 443.

Delete the first line which permits UDP from any source to any destination. You don't have to permit access to every UDP port.

Giorgos

my knowledge of cisco ACL's isnt fantastic.  My understanding is that an out ACL on my outside interface restricts my internal devices and where then can go to on the internet.  No an in ACL on my outside deals with what traffic i'm letting back in.   Does this sound about right?

So for the moment i dont want to restrict outbound traffic.

So I need to focus on the inboud from the internet in

the only line that works is

permit tcp any any.

if I use this yes my users can surf the net, but this feels to open.   and  if I use:

ip access-list extended Jon1

permit tcp any any eq www

permit tcp any any eq 443

permit tcp any any eq domain

permit udp any any eq domain

permit udp any any eq 443

the router looks to be locked down more but cant access the internet.   I must be restrecting still a port which i need open.

Jon

it doesn't matter if you implement acl to inbound or outbound direction. everything which is not permited  in ACL will be restricted.

Sincerely,

GRinch

It matters, depending on the ACL itself.

"deny tcp any any eq 8000" denies access to the outside if applied to inside direction while the same ACL denies access to the inside if applied to the outside direction. 

In our case,

Jon, place the next couple of lines first on your ACL:

permit tcp any any eq domain

permit udp any any eq domain

Then all others.

Giorgos

I think the problem is that I shouldnt be trying this on a router.   I think I need to be able to filter and manage statefull http(s) filters.   And I dont think or dont know how to do this in cisco ios on a router.   Perhaps its not such a good idea to use  cisco router as a gatway to the internet.  So perhaps I should be looking to do this with an ASA type device. 

With an ASA I'd have more control I'd expect, tho I've never used one.

Trying this on a cisco - its either working but I feel open, and when I close it down, internet surfing stops working.

Jon

Security appliances such ASA is always the best choice, especially on corporate environments.

Did it work placing port 53 on top of the ACL?

Giorgos

Here's what will probably work, assuming you're using an ASA / PIX:

access-list outside_in remark DENY ALL INBOUND CONNECTIONS BY DEFAULT

access-list outside_in deny ip any any

access-list inside_in remark ALLOW THE LAN TO CONNECT TO ANYTHING

access-list inside_in permit ip any any

access-group outside_in in interface outside

access-group inside_in in interface inside

Babbling follows:

You should be able to use a standard router as your internet gateway, and even have access control. An ASA (or even a PIX) would be needed if you want to do deepter inspection of packets, dynamic threat protection, etc.

Typical setup is to set the ACLs on INBOUND traffic to the appropriate interface. Something like this:

access-list outside_in remark *** DENY ALL UNINVITED TRAFFIC FROM THE INTERNET BY DEFAULT ***

access-list outside_in remark *** There is an implicit deny any, but for clarity we'll put an explicit one.

access-list outside_in deny ip any any


access-list inside_in remark *** PERMIT SPECIFIC TRAFFIC ORIGINATING ON THE LAN ***

access-list inside_in remark *** In this case, we will allow only HTTP and HTTPS traffic

access-list inside_in permit tcp any any eq www

access-list inside_in permit tcp any any eq https

access-list inside_in deny ip any any


access-group outside_in in interface outside

access-group inside_in in interface inside

Expand or restrict as needed. If you have an inside web server for example, you will need to not only permit traffic to it but also set up a NAT policy for it. For outbound traffic, you may need to permit your DNS server to reach out to its forwarders on TCP 53 .

The access list on the outside interface can be deny any any because it  only applies to connections initiated on the outside. It will have no  effect on a session initiated from the inside. That's why things like  Logmein and GoToMyPC work. They sit on an inside computer and just keep a  session open to the external broker servers.

IcebergTitanic
Level 1
Level 1

Sorry, that's a really long explanation. Here's the simple version.

- Apply ACLs to inbound traffic on the interfaces

- Permit anything inbound to the inside interface

- Deny everything inbound to the outside interface, unless you have some service on the inside that needs to be accessed from the Internet

Hi, if you've got the IOS which supports this feature you could implement Zone based Firewall, if not you can implement CBAC. These are 2 ways of making a router a stateful firewall.

Regards.

Alain.

Don't forget to rate helpful posts.

garapoglou
Level 3
Level 3

Always keep in mind that ACLs ment to control the internet traffic should be implemented on interfaces close to the web and not the ones close to the LAN.

Giorgos

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco