Solved

ACL on Cisco IOS

Posted on 2006-06-20
8
885 Views
Last Modified: 2012-05-05
I need to implement an ACL on our Cisco 2821 router.  This router controls connectivity to our web server.  We have several domains hosted here, and a few of which make outbound Web Requests (for a web services-like transactions).  So because of the nature of the HTTP protocol, I'm unsure of how to implement the ACL in order to allow outbound traffic from the web server out to other sites.  The code on our web portals makes these web requests out to other URL's.  

So when outbound requests are made, they come from a random port on the senders machine, and port 80 on the destination machine.  How can I enable a safe ACL on our router when the outbound requests leave from random ports?  Is there some way that I can force these outbound requests on the web server to always use some arbitrary port on our web server that I specify?

Hope this makes sense, please help!  We need to lock down the web server soon since we have had some un-friendly intruders.
0
Comment
Question by:qumpus
  • 3
  • 3
8 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 16946530
ACLS's get tricky if you don't know what you're doing.
Do you already have any ACL's in place?
Do you have a firewall? Do you have the firewall feature set on the router?

There are two ways to implement acls -
On the WAN interface - inbound. This is where I would assume you allow incomming www requests to the server(s). you can implement an acl with "established" keyword which makes it dynamic for the duration of the established communications.

On the LAN interface - inbound. This is where you would restrict outbound connections that originate on the LAN (i.e. servers initiating transactions). You can specify the IP addresses of the hosts for these transactions, and allow normal www traffic out, but you also have to be sure to allow DNS and other required traffic. Here's an example of an outbound restriction acl:

ip access-list extended OUTBOUND
\\-- allow your server host 1.2.3.4 to initiate transaction with host 56.78.9.111 + host a.b.c.d
 permit tcp host 1.2.3.4 gt 1024 host 56.78.9.111 eq 80
 permit tcp host 1.2.3.4 gt 1024 host 56.78.9.111 eq 443
 permit tcp host 1.2.3.4 gt 1024 host a.b.c.d eq 80  
\\-- allow server 1.2.3.5 outbound
 permit tcp host 1.2.3.5 eq 80 any
\\-- allow dns outbound from dns server 1.2.3.6
 permit udp host 1.2.3.6 any eq 53
\\-- log all denied traffic for troubleshooting
 deny ip any any log

interface Fast0/0
  ip access-group OUTBOUND in

 
0
 

Author Comment

by:qumpus
ID: 16969288
Hey thanks for the insight.
To answer your questions:
 - Yes we do have some ACL's in place for NAT routing/mapping, etc. but not for restricting inbound traffic to our servers


The deal is that we were going to try and avoid locking down the entire network right away and focus strictly on the web server... our network is still in its infant stages and I wanted to keep the ACL simple.
In our current setup we have two gigabit interfaces facing the internet for load balancing and redundancy, and four VLAN interfaces facing in.
VLAN1- LAN
VLAN10 – E-mail server
VLAN30 – Web server
VLAN50 – VPN server
So the original strategy was to implement an ACL on VLAN30 “out” to restrict traffic coming in to the web server from the internet, and allow traffic in from our other internal subnets. This worked great, and as expected for inbound, but for whatever reason this completely blocked all outbound traffic from the web server on VLAN30. Correct me if I’m wrong, but to accomplish that I would have to put an ACL on VLAN30 “in” – right?
So anyway, I think we’re going to ditch that plan, and try to define ALL inbound traffic and place the ACL on the two gigabit interfaces “in” – as suggested by Cisco for best practices.
Let me know what you think!



0
 

Author Comment

by:qumpus
ID: 16969374
...didn't mean to hit enter yet...

To answer your other question:
 - Yes, we do have the Firewall Feature set on the router
 - Yes, we also have a firewall. We are using an ISA Firewall with two NICs as a VPN endpoint to remote users, and also as a Proxy server for Internet access. (VLAN50 above)

Also, regarding the "established" keyword - what happens if you don't use that command?
If you could give me some pointers there it would be much appreciated.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 79

Expert Comment

by:lrmoore
ID: 17258819
gumpus,
Sorry for the extended delay. Are you still working on this? Do you need more information? I hope you've got everything working by now! What do you want to do with this question?

-Cheers!
0
 

Author Comment

by:qumpus
ID: 17264181
lrmoore,

Yes we are still working on this. We have gone outside and asked for some help from a consultant.

We are currently in the process of implementing an ACL on the inbound of our Internet facing interfaces with the help of CBAC and reflective ACL’s using “ip inspect” statements. This seemed to work good in our tests, but once in production we experienced very intermittent issues with Internet/Email. Any ideas?

- qumpus
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 125 total points
ID: 17265527
Intermittent issues typically point to things like mss settings, fragmentation issues, MTU issues, black hole, dns issues. Many of these are overcome by simply allowing inbound icmp unreachables and packet-too-big so the clients can adjust dynamically using basic sliding window and MTU detect mechanisms already built into the systems.
Depending on your WAN connection, you may have to set the outside interface MTU to lower than the default 1500.  I.e. DSL with pppoe carries an 8-bit overhead and causes many issues with fragmentation.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now