Solved: permit Internet access on router (IOS 15.2)

indira_sarajevo · ‎06-04-2013

Hi,

I want to permit Internet access on my router from my inside users.

I thought that I onyl need permit for DNS server (we have inside DNS which foward to outside DNS).

But as I test - I need to permit www and 443 as inbound traffic. (for 3handshake, connections ...)

pls tell me what is better/more secured:

interface gigabitEthernet 0/1

ip access-group 5 in

1.

access-list 5 permit tcp any eq 443 host x.x.x.x

access-list 5 permit tcp any eq www host x.x.x.x

or

2.

access-list 5 permit tcp host x.x.x.x eq established

thank you for your time,

Keli

cadet alain · ‎06-04-2013

Hi,

The more secure way would be to implement either CBAC or zone-based Firewall but if these are not viable options then the reflexive ACLs are in my opinion more secure than the established ACL( because this is easily spoofable).

Regards

Alain

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎06-04-2013

Hi,

The more secure way would be to implement either CBAC or zone-based Firewall but if these are not viable options then the reflexive ACLs are in my opinion more secure than the established ACL( because this is easily spoofable).

Regards

Alain

Don't forget to rate helpful posts.

indira_sarajevo · ‎06-05-2013

thank you Alain for reply.

I will certanly try reflective ACL or ZBF...

best regards,

Indira