cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4424
Views
0
Helpful
8
Replies

Internet ACL not allowing http

Ricky S
Level 3
Level 3

Hi everyone, can you tell me why this ACL, when applied inbound to my outside interface, kills the outbound http traffic?

ip access-list extended internet_block

permit udp any eq bootps any eq bootpc

remark rfc1918 antispoofing

deny   ip host 255.255.255.255 any log

deny   ip 127.0.0.0 0.255.255.255 any log

deny   ip 10.0.0.0 0.255.255.255 any log

deny   ip 172.16.0.0 0.15.255.255 any log

deny   ip 192.168.0.0 0.0.255.255 any log

deny   ip any 10.0.0.0 0.255.255.255 log

deny   ip any 172.16.0.0 0.15.255.255 log

deny   ip any 192.168.0.0 0.0.255.255 log

remark gre tunnels permitted

permit udp any any eq isakmp

permit esp any any

permit gre any any

permit udp any any eq non500-isakmp

permit tcp any any eq www established

permit tcp any any eq 443 established

remark allow ping and traceroute responses

permit icmp any any traceroute

permit icmp any any echo-reply

deny   icmp any any redirect

deny   ip any any

!

!

interface gigabitethernet0/0

ip access-group internet_block in

!

1 Accepted Solution

Accepted Solutions

strange if it was hit or miss , i tried it with success and all hits.

What you can do is on your 190 line do deny   ip any any log ( make sure you have syslog enabled ) and then open yahoo.com in browser and see what error you see on syslog, and why packet is denied.

by the way how we do is simply tcp any any established and never faced any issues. never tried establushed for 80 in my network so far. but did just for a test.

Regards,

View solution in original post

8 Replies 8

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Ricky,

>> permit tcp any any eq www established

permit tcp any any eq 443 established

if you mean web servers that are on the internet you should have used

permit tcp any eq www any established

permit tcp any eq 443 any  established

the ACL is applied inbound on internet facing interface so you  have to see the well known ports on the source part not the destination part

the lines you have used refers to http or https sessions with servers that are inside your network

Hope to help

Giuseppe

ahmad82pkn
Level 3
Level 3

what you need to do is in your ACL

permit tcp any eq 443 any

permit tcp any eq 80 any

Hi Ahmad, thanks.

Shouldn't the "established" keyword be added for security? I am not comfortable leaving port 80 open for all incoming traffic unless it was initiated from the inside.

hum, then do this

permit tcp any eq 443 any established

permit tcp any eq 80 any established

since source ports is 80 and 443 when reply is coming back from web server.

Ok with the established keyword it sporadic, a hit or a miss. I was able to go to google.com but was not able to go to yahoo.com etc. Is there any other ways I can block port 80 and 443 unless traffic is return traffic to a request intiated from the inside?

strange if it was hit or miss , i tried it with success and all hits.

What you can do is on your 190 line do deny   ip any any log ( make sure you have syslog enabled ) and then open yahoo.com in browser and see what error you see on syslog, and why packet is denied.

by the way how we do is simply tcp any any established and never faced any issues. never tried establushed for 80 in my network so far. but did just for a test.

Regards,

Ahh why didn't I think of that about the tcpy any any

I also did tcp any any established and now everything works fine. Issue resolved.

I don't care much about what people from the inside can go to, its more from the outside in.

Thanks a bunch for your help!

Glad to help you

Review Cisco Networking for a $25 gift card