[c-nsp] ACL making me insane
Stephen Stuart
stuart at tech.org
Tue Jun 3 14:50:29 EDT 2008
> Hi,
>
> On Tue, Jun 03, 2008 at 01:37:30PM -0400, Luan Nguyen wrote:
> > The problem is when someone contacted your protectedserver, you need to
> > allow the counter flow of that.
> > For example, you need to have: permit tcp host PROTECTEDSERVER eq 80 any gt
> > 1024 so that the web counter flow will work (counter flow of this line:
> > permit tcp any host PROTECTEDSERVER eq 80)
>
> this is not correct as there's the "tcp any any established" rule which should (and does) permit that.
The "established" rule is present on the inbound ACL, but not the
outbound ACL. Adding an "established" rule to the outbound ACL would
fix things (but might allow more communication than Skeeve desires);
Luan's correction to the outbound rules would fix things, as well.
Stephen
More information about the cisco-nsp
mailing list