Someone is just using packet filtering on the router. It looks like someone is trying to allow reverse traffic back to the orginator. This is not good.
It would be better if you were to deploy CBAC or reflexive access-lists. This way reverse traffic is automatically entered into the ACL. The outgoing traffic from your office to the Internet should be restricted to what you need. Example: ip access-list ext ACL_INSIDE permit tcp 10.0.0.0 0.255.255.255 gt 1023 any eq 80 permit tcp 10.0.0.0 0.255.255.255 gt 1023 any eq 443 permit udp 10.0.0.0 0.255.255.255 gt 1023 any eq 53 Incoming traffic to your mail server and web server if you have one should look something like. (Not complete) ip access-list ext ACL_OUTSIDE deny ip 127.0.0.0 0.255.255.255 any log deny ip 128.0.0.0 0.0.255.255 any log deny ip 10.0.0.0 0.255.255.255 any log deny ip 172.16.0.0 0.15.255.255 any log deny ip 192.168.0.0 0.0.255.255 any log deny ip 224.0.0.0 15.255.255.255 any log deny ip 240.0.0.0 15.255.255.255 any log deny ip 0.0.0.0 0.255.255.255 any log deny icmp any any redirect log deny ip (your Public IP address space) any log permit tcp any gt 1023 host 2.2.2.2 eq 80 permit tcp any gt 1023 host 3.3.3.3 eq 25 permit udp any gt 1023 host 4.4.4.4 eq 53 If you don't have a license for the firewall feature set then use reflexive access-lists. But I recommend buying the firewall feature set and a support contract to download all the updates. Depending what your needs are a Cisco 1710 is a cool little box. If you don't need routing you can get the PIX 500 series if performance is not an issue. Goto the following links and read them over. CBAC http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Software:Cisco_IO S_Firewall&s=Implementation_and_Configuration Reflexive http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuratio n_guide_chapter09186a00800d9817.html Bob. -----Original Message----- From: noconflic To: [EMAIL PROTECTED] Sent: 6/10/03 4:48 PM Subject: Cisco ACL Question Hello, I have a question about the following inbound Cisco ACL entry... access-list 100 permit udp any X.X.X.0 0.0.0.255 gt 1023 From what i understand so far is that this entry is required for normal outbound ftp,tftp,dns, and traceroute traffic. It has been suggested that one should specificly add deny rules for common UDP ports above that range. My question, I am looking for suggestions to make that more restrictive ? What problems would there be with other hosts on the LAN if the entry was removed ? Thanks, -CH ------------------------------------------------------------------------ --- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------