1. Home
  2. Cisco Systems
  3. Simple question about access lists

Simple question about access lists

Hi,

I'm having a devil of a time trying to set up what ought to be an extremely simple inbound access list. All I want to do is allow inbound connections to a few web servers, while not having any kind of restrictions on outbound traffic.

My understanding is that I need to permit established traffic at the top of my list in order for client programs to get responses from outside servers. I put:

access-list 101 permit tcp any any established

But this doesn't work. With this control in place, I can't even browse an external web site. The only way I've been able to fix it is to allow everything:

access-list 101 permit ip any any

Of course this is not what I want, because it opens my whole network up to the internet.

Is there some special trick to this that I'm missing?

Reply to
flarosa
Loading thread data ...

If you only have 'permit tcp any any established' then replies from DNS servers to your resolver will be blocked, hence no web access.

Chris.

Reply to
chris

You want to use reflective access lists so rules for traffic returning to internal clients are dynamically created. Using 'established' simply makes the router to check whether the 'ACK' bit is set and has nothing to do with actual 'established' traffic. This is part of CBAC (Context Based Access Control) ... in a Firewall feature set IOS.

formatting link
BernieM

Reply to
BernieM

More on the reflective acl's and it mentions that normal acl's with 'established' also checks for the RST bit. These bits can easilly be set by someone to bypass acl's using 'established' ...

formatting link
BernieM

Reply to
BernieM

Thanks, I'm using a very old router and I don't think it supports what you're talking about, plus I don't really understand it anyway. I added a rule to permit DNS responses and that seems to have fixed my problem for now.

I understand that it must be possible for a hacker to spoof the "established" bit in the TCP packet pretty easily, but does that matter? I mean, certainly any kind of listening socket in an application is not going to accept a new connection from a packet with the established bit set - right?

Frank

BernieM wrote:

Reply to
flarosa

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.