ive got an ACL on my outside interface with inside direction.

so far its saying:

permit udp any any

permit tcp any any eq www

permit tcp any any eq 443

permit tcp any any eq domain

then its my understanding that their is an implicit deny at the end.  

This doesnt work.  my users can not access the internet.  only when ip open the ACL further with a

permit tcp any any

this sound a bit too much open to me, i might be wrong.

Is it related to the fact that i'm also using NAT Overload?

Jon

Hello,

you should implement this ACL to outside direction on your outside interface

Sincerely,

GRinch

Hi,

The ACL you have must be implemented on the outside interface to outside direction as GRinch said. If you tried the ACL on my example, it should be implemented on the outside interface to inside direction.

But let's just check your ACL.

First of all, you need to permit both TCP and UDP on port 53. Same thing for port 443.

Delete the first line which permits UDP from any source to any destination. You don't have to permit access to every UDP port.

Giorgos

my knowledge of cisco ACL's isnt fantastic.  My understanding is that an out ACL on my outside interface restricts my internal devices and where then can go to on the internet.  No an in ACL on my outside deals with what traffic i'm letting back in.   Does this sound about right?

So for the moment i dont want to restrict outbound traffic.

So I need to focus on the inboud from the internet in

the only line that works is

permit tcp any any.

if I use this yes my users can surf the net, but this feels to open.   and  if I use:

ip access-list extended Jon1

permit tcp any any eq www

permit tcp any any eq 443

permit tcp any any eq domain

permit udp any any eq domain

permit udp any any eq 443

the router looks to be locked down more but cant access the internet.   I must be restrecting still a port which i need open.

Jon

it doesn't matter if you implement acl to inbound or outbound direction. everything which is not permited  in ACL will be restricted.

Sincerely,

GRinch

It matters, depending on the ACL itself.

"deny tcp any any eq 8000" denies access to the outside if applied to inside direction while the same ACL denies access to the inside if applied to the outside direction. 

In our case,

Jon, place the next couple of lines first on your ACL:

permit tcp any any eq domain

permit udp any any eq domain

Then all others.

Giorgos

I think the problem is that I shouldnt be trying this on a router.   I think I need to be able to filter and manage statefull http(s) filters.   And I dont think or dont know how to do this in cisco ios on a router.   Perhaps its not such a good idea to use  cisco router as a gatway to the internet.  So perhaps I should be looking to do this with an ASA type device. 

With an ASA I'd have more control I'd expect, tho I've never used one.

Trying this on a cisco - its either working but I feel open, and when I close it down, internet surfing stops working.

Jon

Security appliances such ASA is always the best choice, especially on corporate environments.

Did it work placing port 53 on top of the ACL?

Giorgos

Here's what will probably work, assuming you're using an ASA / PIX:

access-list outside_in remark DENY ALL INBOUND CONNECTIONS BY DEFAULT

access-list outside_in deny ip any any

access-list inside_in remark ALLOW THE LAN TO CONNECT TO ANYTHING

access-list inside_in permit ip any any

access-group outside_in in interface outside
access-group inside_in in interface inside

Babbling follows:

You should be able to use a standard router as your internet gateway, and even have access control. An ASA (or even a PIX) would be needed if you want to do deepter inspection of packets, dynamic threat protection, etc.

Typical setup is to set the ACLs on INBOUND traffic to the appropriate interface. Something like this:

access-list outside_in remark *** DENY ALL UNINVITED TRAFFIC FROM THE INTERNET BY DEFAULT ***

access-list outside_in remark *** There is an implicit deny any, but for clarity we'll put an explicit one.

access-list outside_in deny ip any any

access-list inside_in remark *** PERMIT SPECIFIC TRAFFIC ORIGINATING ON THE LAN ***

access-list inside_in remark *** In this case, we will allow only HTTP and HTTPS traffic

access-list inside_in permit tcp any any eq www

access-list inside_in permit tcp any any eq https

access-list inside_in deny ip any any

access-group outside_in in interface outside

access-group inside_in in interface inside

Expand or restrict as needed. If you have an inside web server for example, you will need to not only permit traffic to it but also set up a NAT policy for it. For outbound traffic, you may need to permit your DNS server to reach out to its forwarders on TCP 53 .

The access list on the outside interface can be deny any any because it  only applies to connections initiated on the outside. It will have no  effect on a session initiated from the inside. That's why things like  Logmein and GoToMyPC work. They sit on an inside computer and just keep a  session open to the external broker servers.

Hi, if you've got the IOS which supports this feature you could implement Zone based Firewall, if not you can implement CBAC. These are 2 ways of making a router a stateful firewall.

Regards.

Alain.