07-27-2008 10:26 AM - edited 03-03-2019 10:54 PM
Hi,
Im having trouble with my access lists. Ive got a Cisco 877 router and would like to deny all traffic intiated from the web but allow traffic originating from the private internal Lan to the web and receive through the firewall. How can I do this? Ive tried using the permit tcp any any established command but it doesnt work, so a quick summary of how to resolve this would really help.
Thanks
07-27-2008 11:25 AM
Colin,
Without seeing the ACL (if there is more to it) I will assume that you are not permitting DNS traffic through the router. You should add "permit udp any eq 53 any" to allow DNS traffic .
HTH,
Mark
07-27-2008 12:32 PM
Hi,
To permit all traffic originated from your LAN
to the internet, don't configure an ACL on both the LAN Gateway inbound dirtection and the WAN interface outbound direction as by creating no ACL all traffic is allowed.
To deny traffic originated from the web apply "deny tcp any any established" command on the WAN interface to the inbound direction will block only TCP sessions.
To block UDP sessions originated from the internet apply "deny udp any lan-ip-add mask" command on the WAN interface to the inbound direction.
ALso you should apply the command "IP inspect name res tcp" on global config. mode and apply the command "ip inspect res" to the LAN GW in the inbound direction or to the WAN interface to the outbound direction so that allowd traffic originated from LAN can be allowed dynamically in the reverse direction
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide