[c-nsp] ACL making me insane

Enno Rey erey at ernw.de
Tue Jun 3 13:58:05 EDT 2008 

Hi,

On Tue, Jun 03, 2008 at 01:37:30PM -0400, Luan Nguyen wrote:
> The problem is when someone contacted your protectedserver, you need to
> allow the counter flow of that.
> For example, you need to have:  permit tcp host PROTECTEDSERVER eq 80 any gt
> 1024  so that the web counter flow will work (counter flow of this line:
> permit tcp any host PROTECTEDSERVER eq 80)

this is not correct as there's the "tcp any any established" rule which should (and does) permit that.

thanks,

Enno







> 
> -lmn
> 
> On Tue, Jun 3, 2008 at 1:23 PM, Skeeve Stevens <skeeve at skeeve.org> wrote:
> 
> >
> > Hey all,
> >
> > Got an issue with the below ACL.  The inbound to the PROTECTEDSERVER is
> > working ok.. port 80 is allowed, RDP from one trusted machine.
> > But. on the outbound, with the deny ip any any active (notice the !), the
> > inbound wont work, nor can the server get out.
> >
> > What am I missing?
> >
> > Basically what I want to do is deny all, allow only certain things..
> >
> > .Skeeve
> >
> > !
> > no ip access-list extended FWCUST_XXX_IN
> > ip access-list extended FWCUST_XXX_IN
> >  remark Inbound Firewall rules for XXX Services
> >  permit tcp any host PROTECTEDSERVER established
> >  permit tcp host ALLOWEDREMOTE host PROTECTEDSERVER eq 3389
> >  permit tcp any host PROTECTEDSERVER eq 80
> >  permit icmp any any
> >  deny   ip any any
> > !
> > no ip access-list extended FWCUST_XXX_OUT
> > ip access-list extended FWCUST_XXX_OUT
> >  remark Outbound Firewall rules for XXX Services
> > permit tcp any any established
> >  permit tcp PROTECTEDSERVER host SAFEMAIL eq smtp
> >  permit tcp host PROTECTEDSERVER host SAFEMAIL eq pop3
> >  permit icmp any any
> >  permit tcp host PROTECTEDSERVER any eq domain
> >  permit udp host PROTECTEDSERVER any eq domain
> >  permit tcp host PROTECTEDSERVER any eq 80
> >  permit tcp host PROTECTEDSERVER any eq 21
> >  permit udp host PROTECTEDSERVER any eq 20
> > ! deny   ip any any
> > !
> > !
> > !
> > interface GigabitEthernet0/2.402
> >  ip access-group FWCUST_XXX_OUT in
> >  ip access-group FWCUST_XXX_IN out
> > !
> > end
> > !
> >
> > --
> > Skeeve Stevens, RHCE
> > skeeve at skeeve.org / www.skeeve.org
> > Cell +61 (0)414 753 383 / skype://skeeve
> >
> > eintellego - skeeve at eintellego.net - www.eintellego.net
> > --
> > I'm a groove licked love child king of the verse
> > Si vis pacem, para bellum
> >
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Enno Rey

ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902
PGP FP 055F B3F3 FE9D 71DD C0D5  444E C611 033E 3296 1CC1

Handelsregister Heidelberg: HRB 7135
Geschaeftsfuehrer: Roland Fiege, Enno Rey

More information about the cisco-nsp mailing list