Hiya,
Im somewhat stumped here and could use some help from the folks.
I have a 2610 doing NAT over a cablem modem and really need to tighten it up
just a bit. The router is communicating with the internet via e0/0 and the
internal network is running over s0/0 ( till I get an NM-1E ). My policy is
somewhat open as follows:
ALLOW ANYONE to communicate with the internet FROM inside. (nat'ed rfc1918)
ALLOW inbound http from anyone to internal network (translated and working)
ALLOW inbound ssh from anyone to internal network (translated and working)
DENY anyone's incomming packets who has the SYN bit set but NOT SYN/ACK.
ALLOW anything else at the momment
default DENY
Most of this policy is to be enforced inbound e0/0.
I have tried to implement the syn !syn/ack with extended rules
access-list 102 deny tcp any any syn
but when I apply this with an allow any any onto e0/0, all the outbound
packets die either the syn/ack's from outside sites are getting denied or it
never leaves the router to begin with. I cannot define a rule to pick out
pure syn bit packets from syn/ack'd ones.
Does anyone know a good packet filtering rule to accomplish this? Seems it
should be pretty standard fare as far as packet filtering routers go (shrug).
Thanks in advance,
Dave
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=143&t=143
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
