In article < >,
Sarah <> wrote:
:I want to block only web protocols to our web servers. It needs http
:and ssl only and I want to use access-lists. I changed the real IP
:addresses. This is what I tried:
:webserver address is 10.0.0.59
:access-list 101 permit tcp 0.0.0.0 255.255.255.255 10.0.0.59 0.0.0.0 eq 80
:access-list 101 permit tcp 0.0.0.0 255.255.255.255 10.0.0.59 0.0.0.0 eq 443
:access-list 101 deny ip 0.0.0.0 255.255.255.255 10.0.0.59 0.0.0.0
:Then I applied it to interface Ethernet 0
:ip access-group 101 out
First off, you probably want to apply this 'in' your WAN interface
rather than 'out' your LAN interface. When you apply it 'out' your
LAN interface, it permits your inside systems to www and ssl to
10.0.0.59... except that those are already inside so it doesn't do
you any good.
Secondly, you never need a 'deny' statement at the end of an access list,
as the default is to deny.
Thirdly, as a matter of form, use 'any' and 'host', and use symbolic
names for ports where applicable:
access-list 101 permit tcp any host 10.0.0.59 eq www
access-list 101 permit tcp any host 10.0.0.59 eq 443
Fourthly, you need to permit return traffic for all your other systems.
If you don't have the firewall feature set, that can be a bit tricky
particularily if your systems might use udp to connect to other systems.
access-list 101 remark allow returning tcp traffic
access-list 101 permit tcp any any established
access-list 101 remark allow returning DNS traffic
access-list 101 permit udp any eq 53 any
access-list 101 remark allow new connections to www and ssl
access-list 101 permit tcp any host 10.0.0.59 eq www
access-list 101 permit tcp any host 10.0.0.59 eq 443
access-list 101 remark remember to allow for unreachables
access-list 101 permit icmp any any ttl-exceeded
access-list 101 permit icmp any any unreachable
--
IEA408I: GETMAIN cannot provide buffer for WATLIB.
|
Similar Threads
