«

Hi,

I'm having a devil of a time trying to set up what ought to be an
extremely simple inbound access list. All I want to do is allow inbound
connections to a few web servers, while not having any kind of
restrictions on outbound traffic.

My understanding is that I need to permit established traffic at the
top of my list in order for client programs to get responses from
outside servers. I put:

access-list 101 permit tcp any any established

But this doesn't work. With this control in place, I can't even browse
an external web site. The only way I've been able to fix it is to allow
everything:

access-list 101 permit ip any any

Of course this is not what I want, because it opens my whole network up
to the internet.

Is there some special trick to this that I'm missing?

"flarosa" <> wrote in message
news: oups.com...
> Hi,
>
> I'm having a devil of a time trying to set up what ought to be an
> extremely simple inbound access list. All I want to do is allow inbound
> connections to a few web servers, while not having any kind of
> restrictions on outbound traffic.
>
> My understanding is that I need to permit established traffic at the
> top of my list in order for client programs to get responses from
> outside servers. I put:
>
> access-list 101 permit tcp any any established
>
> But this doesn't work. With this control in place, I can't even browse
> an external web site. The only way I've been able to fix it is to allow
> everything:
>
> access-list 101 permit ip any any
>
> Of course this is not what I want, because it opens my whole network up
> to the internet.
>
> Is there some special trick to this that I'm missing?
>

If you only have 'permit tcp any any established' then replies from DNS
servers to your resolver will be blocked, hence no web access.

Chris.

"flarosa" <> wrote in message
news: oups.com...
> Hi,
>
> I'm having a devil of a time trying to set up what ought to be an
> extremely simple inbound access list. All I want to do is allow inbound
> connections to a few web servers, while not having any kind of
> restrictions on outbound traffic.
>
> My understanding is that I need to permit established traffic at the
> top of my list in order for client programs to get responses from
> outside servers. I put:
>
> access-list 101 permit tcp any any established
>
> But this doesn't work. With this control in place, I can't even browse
> an external web site. The only way I've been able to fix it is to allow
> everything:
>
> access-list 101 permit ip any any
>
> Of course this is not what I want, because it opens my whole network up
> to the internet.
>
> Is there some special trick to this that I'm missing?
>

You want to use reflective access lists so rules for traffic returning to
internal clients are dynamically created. Using 'established' simply makes
the router to check whether the 'ACK' bit is set and has nothing to do with
actual 'established' traffic. This is part of CBAC (Context Based Access
Control) ... in a Firewall feature set IOS.

http://www.cisco.com/en/US/products/...80094110.shtml

BernieM

"flarosa" <> wrote in message
news: oups.com...
> Hi,
>
> I'm having a devil of a time trying to set up what ought to be an
> extremely simple inbound access list. All I want to do is allow inbound
> connections to a few web servers, while not having any kind of
> restrictions on outbound traffic.
>
> My understanding is that I need to permit established traffic at the
> top of my list in order for client programs to get responses from
> outside servers. I put:
>
> access-list 101 permit tcp any any established
>
> But this doesn't work. With this control in place, I can't even browse
> an external web site. The only way I've been able to fix it is to allow
> everything:
>
> access-list 101 permit ip any any
>
> Of course this is not what I want, because it opens my whole network up
> to the internet.
>
> Is there some special trick to this that I'm missing?
>

More on the reflective acl's and it mentions that normal acl's with
'established' also checks for the RST bit. These bits can easilly be set by
someone to bypass acl's using 'established' ...

http://www.cisco.com/en/US/products/...0800d9817.html

BernieM

Thanks, I'm using a very old router and I don't think it supports what
you're talking about, plus I don't really understand it anyway. I added
a rule to permit DNS responses and that seems to have fixed my problem
for now.

I understand that it must be possible for a hacker to spoof the
"established" bit in the TCP packet pretty easily, but does that
matter? I mean, certainly any kind of listening socket in an
application is not going to accept a new connection from a packet with
the established bit set - right?

Frank

BernieM wrote:
> "flarosa" <> wrote in message
> More on the reflective acl's and it mentions that normal acl's with
> 'established' also checks for the RST bit. These bits can easilly be set by
> someone to bypass acl's using 'established' ...