Cisco access-lists look at packets very literally. They do not account for
return packets
for your users' valid outbound connections.
You'll need to allow "established" TCP connections inbound, or allow inbound
by source port
to specify return traffic for individual applications.
So, you can do this and allow all return traffic:
permit tcp any any established
Or you can do something like this:
permit tcp any eq 80 x.x.x.x 0.0.0.255
where x.x.x.x 0.0.0.255 is your internal network.
A couple notes:
The "established" option will only fix the problem with TCP connections.
UDP still won't work,
so you'll probably have to add source port rules for DNS and other UDP
applications.
There are some pretty hefty security flaws with all of this. You shouldn't
rely on Cisco access-lists
for any sort of reasonable security. An exception is if you use firewall
code on your router
and implement CBAC (Content Based Access Control). This will allow stateful
inspection of
your connections and eliminate the need to globally allow return traffic.
Carl
-----Original Message-----
From: Justin Tamakawa [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 24, 2000 10:10 AM
To: '[EMAIL PROTECTED]'
Subject: cisco access-lists
I'm having a problem with my access-list for my cisco router. Let me give
you my exact acess-list :
access-list 103 permit tcp any any eq 80 (Web)
access-list 103 permit tcp any any eq 443 (secure web(cybercash, kmart,
etc))
access-list 103 permit tcp any any eq 25 (SMTP)
access-list 103 permit tcp any any eq 21 (FTP)
access-list 103 permit tcp any any eq 23 (Telnet)
access-list 103 permit tcp any any eq 5190 (AIM)
access-list 103 permit tcp any any eq 7070 (Realaudio)
access-list 103 permit tcp any any eq 53 (DNS)
access-list 103 permit ip 216.*.*.* 0.0.0.0 any
access-list 103 permit ip 216.*.*.* 156 0.0.0.0 any
access-list 103 permit ip 63.*.*.* 0.0.0.0 any
access-list 103 permit tcp any any eq 106
access-list 103 permit udp any any eq 106
access-list 103 permit tcp any any eq 109
access-list 103 permit udp any any eq 109
access-list 103 permit tcp any any eq 110
access-list 103 permit udp any any eq 110
access-list 103 permit tcp any any eq 554
access-list 103 permit tcp any any eq 7070
access-list 103 permit tcp any any eq 8080
access-list 103 permit tcp any any eq 9090
access-list 103 permit tcp any any eq 8181
Of Course what is in the parenthesis is not included in the list. For some
reason, the workers in my LAN don't have access to the www, among other
things. What am I doing wrong? I am allowing tcp port 80, from anywhere to
anywhere, so I can't see what the problem is. Oh - by the way, this is on
my line coming in the the web.
Any help is definitely appreciated!
Thanks a MILLION,
Justin
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
