Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Simple question about access lists

Reply
Thread Tools

Simple question about access lists

 
 
flarosa
Guest
Posts: n/a
 
      06-01-2006
Hi,

I'm having a devil of a time trying to set up what ought to be an
extremely simple inbound access list. All I want to do is allow inbound
connections to a few web servers, while not having any kind of
restrictions on outbound traffic.

My understanding is that I need to permit established traffic at the
top of my list in order for client programs to get responses from
outside servers. I put:

access-list 101 permit tcp any any established

But this doesn't work. With this control in place, I can't even browse
an external web site. The only way I've been able to fix it is to allow
everything:

access-list 101 permit ip any any

Of course this is not what I want, because it opens my whole network up
to the internet.

Is there some special trick to this that I'm missing?

 
Reply With Quote
 
 
 
 
chris
Guest
Posts: n/a
 
      06-01-2006

"flarosa" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> Hi,
>
> I'm having a devil of a time trying to set up what ought to be an
> extremely simple inbound access list. All I want to do is allow inbound
> connections to a few web servers, while not having any kind of
> restrictions on outbound traffic.
>
> My understanding is that I need to permit established traffic at the
> top of my list in order for client programs to get responses from
> outside servers. I put:
>
> access-list 101 permit tcp any any established
>
> But this doesn't work. With this control in place, I can't even browse
> an external web site. The only way I've been able to fix it is to allow
> everything:
>
> access-list 101 permit ip any any
>
> Of course this is not what I want, because it opens my whole network up
> to the internet.
>
> Is there some special trick to this that I'm missing?
>


If you only have 'permit tcp any any established' then replies from DNS
servers to your resolver will be blocked, hence no web access.

Chris.


 
Reply With Quote
 
 
 
 
BernieM
Guest
Posts: n/a
 
      06-02-2006

"flarosa" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> Hi,
>
> I'm having a devil of a time trying to set up what ought to be an
> extremely simple inbound access list. All I want to do is allow inbound
> connections to a few web servers, while not having any kind of
> restrictions on outbound traffic.
>
> My understanding is that I need to permit established traffic at the
> top of my list in order for client programs to get responses from
> outside servers. I put:
>
> access-list 101 permit tcp any any established
>
> But this doesn't work. With this control in place, I can't even browse
> an external web site. The only way I've been able to fix it is to allow
> everything:
>
> access-list 101 permit ip any any
>
> Of course this is not what I want, because it opens my whole network up
> to the internet.
>
> Is there some special trick to this that I'm missing?
>


You want to use reflective access lists so rules for traffic returning to
internal clients are dynamically created. Using 'established' simply makes
the router to check whether the 'ACK' bit is set and has nothing to do with
actual 'established' traffic. This is part of CBAC (Context Based Access
Control) ... in a Firewall feature set IOS.

http://www.cisco.com/en/US/products/...80094110.shtml

BernieM


 
Reply With Quote
 
BernieM
Guest
Posts: n/a
 
      06-02-2006

"flarosa" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> Hi,
>
> I'm having a devil of a time trying to set up what ought to be an
> extremely simple inbound access list. All I want to do is allow inbound
> connections to a few web servers, while not having any kind of
> restrictions on outbound traffic.
>
> My understanding is that I need to permit established traffic at the
> top of my list in order for client programs to get responses from
> outside servers. I put:
>
> access-list 101 permit tcp any any established
>
> But this doesn't work. With this control in place, I can't even browse
> an external web site. The only way I've been able to fix it is to allow
> everything:
>
> access-list 101 permit ip any any
>
> Of course this is not what I want, because it opens my whole network up
> to the internet.
>
> Is there some special trick to this that I'm missing?
>


More on the reflective acl's and it mentions that normal acl's with
'established' also checks for the RST bit. These bits can easilly be set by
someone to bypass acl's using 'established' ...

http://www.cisco.com/en/US/products/...0800d9817.html

BernieM


 
Reply With Quote
 
flarosa
Guest
Posts: n/a
 
      06-04-2006
Thanks, I'm using a very old router and I don't think it supports what
you're talking about, plus I don't really understand it anyway. I added
a rule to permit DNS responses and that seems to have fixed my problem
for now.

I understand that it must be possible for a hacker to spoof the
"established" bit in the TCP packet pretty easily, but does that
matter? I mean, certainly any kind of listening socket in an
application is not going to accept a new connection from a packet with
the established bit set - right?

Frank

BernieM wrote:
> "flarosa" <(E-Mail Removed)> wrote in message
> More on the reflective acl's and it mentions that normal acl's with
> 'established' also checks for the RST bit. These bits can easilly be set by
> someone to bypass acl's using 'established' ...


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
List of lists of lists of lists... =?UTF-8?B?w4FuZ2VsIEd1dGnDqXJyZXogUm9kcsOtZ3Vleg==?= Python 5 05-15-2006 11:47 AM
(the simplest question of the century ?) Simple access to ... ACCESS! Milca Perl Misc 2 04-14-2005 01:37 PM
lists of lists Jon Slaughter C++ 4 12-13-2004 06:28 PM
Lists of Lists VWWall Computer Information 2 10-21-2004 01:15 AM
Sorting lists of lists... JustSomeGuy C++ 0 06-17-2004 05:44 PM



Advertisments