Actually, I would suggest you investigate reflexive access lists with
your version of IOS.
They are dynamic so an inbound rule is added for each out bound
conection established.
Somthing like:
interface ethernet 0/0
ip access-group inbound in
ip access-group outbound out
ip access-list extended inbound
evaluate outbnd-connections
permit tcp any host mywebserver eq www
deny ip any any
ip access-list extended outbound
permit tcp any any reflect outbnd-connections
but please RTM...
Carol Deihl wrote:
>
> Hi Charlie,
>
> There are two sides to every TCP conversation. In the normal situation,
> the web browser initiates with a message from a high port (1024 or
> higher) to the destination on port 80. The web server replies back
> from its port 80 to the browser computer's original port.
>
> Your "deny" is dropping those replies, since it doesn't distinguish
> between replies in an ongoing connection and messages to
> initiate a new connection.
>
> If you are trying to block outsiders from initiating new connections
> to those high ports, you'll want to add "setup" at the end of the
> "deny" rule. Or, be more general, and say something like
>
> access-list 101 deny tcp any any gt 1023 setup log
>
> (I believe this is the Cisco syntax - check your docs to be sure).
>
> Hope this helps.
>
> Carol
>
> "Engasser, Charlie" wrote:
> >
> > I have a combo question.
> >
> > I am running Firewall-1 3.0b 3048, and my router is a Cisco 2611
> > running 12.0.6t.
> >
> > We are getting alot of chatter traffic on high ports above 30k
> > coming inbound that appear to be associated with web browsing. The
> > firewall blocks this traffic, and everything works fine. However if I
> > create an ACL on the router that denys the traffic such as:
> >
> > on ser 0/1:
> >
> > access-list 101 in
> >
> > access-list 101 deny tcp any any range 40000 45000 log
> > access-list 101 permit ip any any
> >
> > Then the traffic stops flowing.
> >
> > can anyone explain this?
> >
> > Charles Engasser
> > Contracted Network Engineer
> > Joint STARS; Joint Test Force.
> > SC; Titan Inc.
> > (407) or (321) 726-7048
> > (407) or (321) 726-7243 (fax)
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
>
> --
> Carol Deihl - principal, Shrier and Deihl - mailto:[EMAIL PROTECTED]
> Remote Unix Network Admin, Security, Internet Software Development
> Tinker Internet Services - Superior FreeBSD-based Web Hosting
> http://www.tinker.com/
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
