Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
568
Views
0
Helpful
7
Replies

access-list

paltel
Level 1
Level 1

‎08-18-2005 11:40 AM - edited ‎03-03-2019 10:18 AM

i have configured Cisco router 1841 with ethernet 0/1 to be connected to the internet and the ethernet 0/0 to the subnet (Servers), and also configued access-list to permit some ports from the outside to the servers and apply it at the ethernet 0/1 inbound and deny everything. now, when i want to go the internet from the servers i can't (i didn't any access-list at the ethernet 0/0) unless i put tcp established at the access-list which applied at the ethernet 0/1 i don't know why?

By defaut any request from the servers must go normally to the outside and the response must not checked at the access-list applied at ethernet 0/1, right?

please help

Labels:
0 Helpful
7 Replies 7

Michael Stuckey
Level 3
Level 3

‎08-18-2005 01:20 PM

It sounds like you did everything right.

The access list should be on e0/1 inbound example.

access-list 101 permit tcp any 1.1.1.1 eq 23 log

access-list 101 deny ip any any log

**log will help troubleshoot***

int e0/1

ip access-group 101 in

This would allow only telnet access to the 1.1.1.1 server.

There are a lot of ways to tighten this up even more but this will work.

You might have used named access list too no problem.

A copy of your config would help. You can always dub your IP addresses.

Are you doing any natting?

0 Helpful

snoopdoggydog
Level 1
Level 1
In response to Michael Stuckey

‎08-18-2005 05:47 PM

Suggest you try adding:

access-list 101 permit tcp any any ack

0 Helpful

paltel
Level 1
Level 1
In response to snoopdoggydog

‎08-18-2005 06:45 PM

what does it mean?

it is very strange, servers must initiate a session for example to cisco.com and access-list at eth 0/1 must not check the response? right?

0 Helpful

snoopdoggydog
Level 1
Level 1
In response to paltel

‎08-18-2005 10:32 PM

Whenever you put an ACL in place, there is "deny any any" implied at the end of the list.

Your problem is that for traffic to the net, there needs to be a return path. At the moment, the response is hitting the assumed deny and getting dropped.

The rule "permit tcp any any ack" will match all traffic that is a response from an original request (has the ack bit set). There are better more secure ways to do this, but this will get you going.

0 Helpful

paltel
Level 1
Level 1
In response to snoopdoggydog

‎08-19-2005 12:14 AM

Thank you.

can you tell more secure ways, i think firewall IOS will do it right?

0 Helpful

snoopdoggydog
Level 1
Level 1
In response to paltel

‎08-19-2005 12:40 AM

Any decent firewall will offer better security than a router with ACLs. Routers only provide security to layer 4 at best.

The problem with the "permit tcp any any ack" is that it still leaves all your ports open to any inbound traffic - as long as the ack is set.

To do this properly, you'd use a dynamic ACL. But to really do this properly, you'd use a firewall.

0 Helpful

paltel
Level 1
Level 1
In response to snoopdoggydog

‎08-19-2005 10:25 AM

you are right, it is temp (i mean the router) i will install PIX515. but at this time, firewall IOS will secure this scenario?

0 Helpful
Customers Also Viewed These Support Documents