Simple question about access lists

Discussion in 'Cisco' started by flarosa, Jun 1, 2006.

  1. flarosa

    flarosa Guest

    Hi,

    I'm having a devil of a time trying to set up what ought to be an
    extremely simple inbound access list. All I want to do is allow inbound
    connections to a few web servers, while not having any kind of
    restrictions on outbound traffic.

    My understanding is that I need to permit established traffic at the
    top of my list in order for client programs to get responses from
    outside servers. I put:

    access-list 101 permit tcp any any established

    But this doesn't work. With this control in place, I can't even browse
    an external web site. The only way I've been able to fix it is to allow
    everything:

    access-list 101 permit ip any any

    Of course this is not what I want, because it opens my whole network up
    to the internet.

    Is there some special trick to this that I'm missing?
    flarosa, Jun 1, 2006
    #1
    1. Advertising

  2. flarosa

    chris Guest

    "flarosa" <> wrote in message
    news:...
    > Hi,
    >
    > I'm having a devil of a time trying to set up what ought to be an
    > extremely simple inbound access list. All I want to do is allow inbound
    > connections to a few web servers, while not having any kind of
    > restrictions on outbound traffic.
    >
    > My understanding is that I need to permit established traffic at the
    > top of my list in order for client programs to get responses from
    > outside servers. I put:
    >
    > access-list 101 permit tcp any any established
    >
    > But this doesn't work. With this control in place, I can't even browse
    > an external web site. The only way I've been able to fix it is to allow
    > everything:
    >
    > access-list 101 permit ip any any
    >
    > Of course this is not what I want, because it opens my whole network up
    > to the internet.
    >
    > Is there some special trick to this that I'm missing?
    >


    If you only have 'permit tcp any any established' then replies from DNS
    servers to your resolver will be blocked, hence no web access.

    Chris.
    chris, Jun 1, 2006
    #2
    1. Advertising

  3. flarosa

    BernieM Guest

    "flarosa" <> wrote in message
    news:...
    > Hi,
    >
    > I'm having a devil of a time trying to set up what ought to be an
    > extremely simple inbound access list. All I want to do is allow inbound
    > connections to a few web servers, while not having any kind of
    > restrictions on outbound traffic.
    >
    > My understanding is that I need to permit established traffic at the
    > top of my list in order for client programs to get responses from
    > outside servers. I put:
    >
    > access-list 101 permit tcp any any established
    >
    > But this doesn't work. With this control in place, I can't even browse
    > an external web site. The only way I've been able to fix it is to allow
    > everything:
    >
    > access-list 101 permit ip any any
    >
    > Of course this is not what I want, because it opens my whole network up
    > to the internet.
    >
    > Is there some special trick to this that I'm missing?
    >


    You want to use reflective access lists so rules for traffic returning to
    internal clients are dynamically created. Using 'established' simply makes
    the router to check whether the 'ACK' bit is set and has nothing to do with
    actual 'established' traffic. This is part of CBAC (Context Based Access
    Control) ... in a Firewall feature set IOS.

    http://www.cisco.com/en/US/products...s_configuration_example09186a0080094110.shtml

    BernieM
    BernieM, Jun 2, 2006
    #3
  4. flarosa

    BernieM Guest

    "flarosa" <> wrote in message
    news:...
    > Hi,
    >
    > I'm having a devil of a time trying to set up what ought to be an
    > extremely simple inbound access list. All I want to do is allow inbound
    > connections to a few web servers, while not having any kind of
    > restrictions on outbound traffic.
    >
    > My understanding is that I need to permit established traffic at the
    > top of my list in order for client programs to get responses from
    > outside servers. I put:
    >
    > access-list 101 permit tcp any any established
    >
    > But this doesn't work. With this control in place, I can't even browse
    > an external web site. The only way I've been able to fix it is to allow
    > everything:
    >
    > access-list 101 permit ip any any
    >
    > Of course this is not what I want, because it opens my whole network up
    > to the internet.
    >
    > Is there some special trick to this that I'm missing?
    >


    More on the reflective acl's and it mentions that normal acl's with
    'established' also checks for the RST bit. These bits can easilly be set by
    someone to bypass acl's using 'established' ...

    http://www.cisco.com/en/US/products...figuration_guide_chapter09186a00800d9817.html

    BernieM
    BernieM, Jun 2, 2006
    #4
  5. flarosa

    flarosa Guest

    Thanks, I'm using a very old router and I don't think it supports what
    you're talking about, plus I don't really understand it anyway. I added
    a rule to permit DNS responses and that seems to have fixed my problem
    for now.

    I understand that it must be possible for a hacker to spoof the
    "established" bit in the TCP packet pretty easily, but does that
    matter? I mean, certainly any kind of listening socket in an
    application is not going to accept a new connection from a packet with
    the established bit set - right?

    Frank

    BernieM wrote:
    > "flarosa" <> wrote in message
    > More on the reflective acl's and it mentions that normal acl's with
    > 'established' also checks for the RST bit. These bits can easilly be set by
    > someone to bypass acl's using 'established' ...
    flarosa, Jun 4, 2006
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jens Meyer
    Replies:
    1
    Views:
    839
    Walter Roberson
    Nov 13, 2003
  2. J Bard
    Replies:
    2
    Views:
    4,004
    J Bard
    Jan 10, 2004
  3. VWWall

    Lists of Lists

    VWWall, Oct 20, 2004, in forum: Computer Information
    Replies:
    2
    Views:
    475
    VWWall
    Oct 21, 2004
  4. Replies:
    7
    Views:
    4,191
    Kimba W. Lion
    Jan 26, 2007
  5. MeekiMoo
    Replies:
    0
    Views:
    638
    MeekiMoo
    Jul 28, 2009
Loading...

Share This Page