[c-nsp] ACL making me insane

Luan Nguyen luan.m.nguyen at gmail.com
Tue Jun 3 13:37:30 EDT 2008 

The problem is when someone contacted your protectedserver, you need to
allow the counter flow of that.
For example, you need to have:  permit tcp host PROTECTEDSERVER eq 80 any gt
1024  so that the web counter flow will work (counter flow of this line:
permit tcp any host PROTECTEDSERVER eq 80)

-lmn

On Tue, Jun 3, 2008 at 1:23 PM, Skeeve Stevens <skeeve at skeeve.org> wrote:

>
> Hey all,
>
> Got an issue with the below ACL.  The inbound to the PROTECTEDSERVER is
> working ok.. port 80 is allowed, RDP from one trusted machine.
> But. on the outbound, with the deny ip any any active (notice the !), the
> inbound wont work, nor can the server get out.
>
> What am I missing?
>
> Basically what I want to do is deny all, allow only certain things..
>
> .Skeeve
>
> !
> no ip access-list extended FWCUST_XXX_IN
> ip access-list extended FWCUST_XXX_IN
>  remark Inbound Firewall rules for XXX Services
>  permit tcp any host PROTECTEDSERVER established
>  permit tcp host ALLOWEDREMOTE host PROTECTEDSERVER eq 3389
>  permit tcp any host PROTECTEDSERVER eq 80
>  permit icmp any any
>  deny   ip any any
> !
> no ip access-list extended FWCUST_XXX_OUT
> ip access-list extended FWCUST_XXX_OUT
>  remark Outbound Firewall rules for XXX Services
> permit tcp any any established
>  permit tcp PROTECTEDSERVER host SAFEMAIL eq smtp
>  permit tcp host PROTECTEDSERVER host SAFEMAIL eq pop3
>  permit icmp any any
>  permit tcp host PROTECTEDSERVER any eq domain
>  permit udp host PROTECTEDSERVER any eq domain
>  permit tcp host PROTECTEDSERVER any eq 80
>  permit tcp host PROTECTEDSERVER any eq 21
>  permit udp host PROTECTEDSERVER any eq 20
> ! deny   ip any any
> !
> !
> !
> interface GigabitEthernet0/2.402
>  ip access-group FWCUST_XXX_OUT in
>  ip access-group FWCUST_XXX_IN out
> !
> end
> !
>
> --
> Skeeve Stevens, RHCE
> skeeve at skeeve.org / www.skeeve.org
> Cell +61 (0)414 753 383 / skype://skeeve
>
> eintellego - skeeve at eintellego.net - www.eintellego.net
> --
> I'm a groove licked love child king of the verse
> Si vis pacem, para bellum
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list