Sweet. Make it look like this:
1)access-list 110 deny ip host 127.0.0.1 any log-input
2)access-list 110 deny ip 194.7.246.160 0.0.0.7 any log-input
3)access-list 110 deny ip 10.1.0.0 0.0.255.255 any log-input
4)access-list 110 permit icmp any host 194.7.246.161
administratively-prohibited
5)access-list 110 permit icmp any host 194.7.246.161 echo log-input
6)access-list 110 permit icmp any host 194.7.246.161
echo-reply log-input
7)access-list 110 permit icmp any host 194.7.246.161 packet-too-big
8)access-list 110 permit icmp any host 194.7.246.161 time-exceeded
9)access-list 110 permit icmp any host 194.7.246.161 traceroute
10)access-list 110 permit icmp any host 194.7.246.161 unreachable
10a) access-list 110 permit tcp any host 192.7.246.161 gt 1023 established
[This is the line that will unbreak PASV FTP and lots of other stuff.]
11)access-list 110 permit tcp any eq 443 host 194.7.246.161 gt 1023
established
12)access-list 110 permit tcp any eq www host 194.7.246.161 gt 1023
established
13)access-list 110 permit tcp any eq ftp host 194.7.246.161 gt 1023
established
14)access-list 110 permit tcp any eq ftp-data host 194.7.246.161 gt 1023
15)access-list 110 permit udp any eq domain host 194.7.246.161 log
[Comment: I'd change the source from any to your upstream DNS resolvers]
16)access-list 110 permit tcp any eq smtp host 194.7.246.161 gt 1023
established log
17)access-list 110 permit tcp any gt 1023 host 194.7.246.162
eq www log
18)access-list 110 permit tcp any gt 1023 host 194.7.246.163
eq smtp log
[I don't think this is good....I thought SMTP servers used 25 as the src
port]
[when relaying...anyone?]
[19 .. 22 snipped - redundant. All the traffic will be matched by 11]
19)access-list 110 deny ip any any log-input
Personally, though I'd write it like this:
[strip spoofed traffic]
[allow ICMP]
permit tcp any host x established
permit tcp any host x 25
permit tcp host x 80
permit tcp any eq ftp-data host x gt 1023
permit udp host [upstream DNS1] eq 53 host x gt 1023 [ONLY if host x ISN'T a
DNS server]
permit udp host [upstream DNS2] eq 53 host x gt 1023 [Otherwise stuff won't
work]
deny ip any any log
It's (arguably) less secure than yours but (IMO) much more likely to work.
8)
Cheers,
PS: Hey Chris! Nyah nyah.... ;)
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
> -----Original Message-----
> From: Tom Casaer [mailto:[EMAIL PROTECTED]]
> Sent: Friday, 28 July 2000 10:06 PM
> To: 'Ben Nagy'; 'Chris Brenton'
> Cc: '[EMAIL PROTECTED]'
> Subject: RE: ftp through CISCO access-list
>
>
> Hi all,
>
>
> To recap: the problem is: FTP works, but only with clients, not in a
> DOS-box. (also not in a browser, but that's solved: Passive
> ftp won't work)
> I will be a little more specific/clear to prevent
> misunderstandings: the
> client is inside and I connect any ftp-server in the world.
[snip]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
