ACL on Cisco IOS

I need to implement an ACL on our Cisco 2821 router.  This router controls connectivity to our web server.  We have several domains hosted here, and a few of which make outbound Web Requests (for a web services-like transactions).  So because of the nature of the HTTP protocol, I'm unsure of how to implement the ACL in order to allow outbound traffic from the web server out to other sites.  The code on our web portals makes these web requests out to other URL's.  

So when outbound requests are made, they come from a random port on the senders machine, and port 80 on the destination machine.  How can I enable a safe ACL on our router when the outbound requests leave from random ports?  Is there some way that I can force these outbound requests on the web server to always use some arbitrary port on our web server that I specify?

Hope this makes sense, please help!  We need to lock down the web server soon since we have had some un-friendly intruders.
Who is Participating?
Intermittent issues typically point to things like mss settings, fragmentation issues, MTU issues, black hole, dns issues. Many of these are overcome by simply allowing inbound icmp unreachables and packet-too-big so the clients can adjust dynamically using basic sliding window and MTU detect mechanisms already built into the systems.
Depending on your WAN connection, you may have to set the outside interface MTU to lower than the default 1500.  I.e. DSL with pppoe carries an 8-bit overhead and causes many issues with fragmentation.
ACLS's get tricky if you don't know what you're doing.
Do you already have any ACL's in place?
Do you have a firewall? Do you have the firewall feature set on the router?

There are two ways to implement acls -
On the WAN interface - inbound. This is where I would assume you allow incomming www requests to the server(s). you can implement an acl with "established" keyword which makes it dynamic for the duration of the established communications.

On the LAN interface - inbound. This is where you would restrict outbound connections that originate on the LAN (i.e. servers initiating transactions). You can specify the IP addresses of the hosts for these transactions, and allow normal www traffic out, but you also have to be sure to allow DNS and other required traffic. Here's an example of an outbound restriction acl:

ip access-list extended OUTBOUND
\\-- allow your server host to initiate transaction with host + host a.b.c.d
 permit tcp host gt 1024 host eq 80
 permit tcp host gt 1024 host eq 443
 permit tcp host gt 1024 host a.b.c.d eq 80  
\\-- allow server outbound
 permit tcp host eq 80 any
\\-- allow dns outbound from dns server
 permit udp host any eq 53
\\-- log all denied traffic for troubleshooting
 deny ip any any log

interface Fast0/0
  ip access-group OUTBOUND in

qumpusAuthor Commented:
Hey thanks for the insight.
To answer your questions:
 - Yes we do have some ACL's in place for NAT routing/mapping, etc. but not for restricting inbound traffic to our servers

The deal is that we were going to try and avoid locking down the entire network right away and focus strictly on the web server... our network is still in its infant stages and I wanted to keep the ACL simple.
In our current setup we have two gigabit interfaces facing the internet for load balancing and redundancy, and four VLAN interfaces facing in.
VLAN10 – E-mail server
VLAN30 – Web server
VLAN50 – VPN server
So the original strategy was to implement an ACL on VLAN30 “out” to restrict traffic coming in to the web server from the internet, and allow traffic in from our other internal subnets. This worked great, and as expected for inbound, but for whatever reason this completely blocked all outbound traffic from the web server on VLAN30. Correct me if I’m wrong, but to accomplish that I would have to put an ACL on VLAN30 “in” – right?
So anyway, I think we’re going to ditch that plan, and try to define ALL inbound traffic and place the ACL on the two gigabit interfaces “in” – as suggested by Cisco for best practices.
Let me know what you think!

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

qumpusAuthor Commented:
...didn't mean to hit enter yet...

To answer your other question:
 - Yes, we do have the Firewall Feature set on the router
 - Yes, we also have a firewall. We are using an ISA Firewall with two NICs as a VPN endpoint to remote users, and also as a Proxy server for Internet access. (VLAN50 above)

Also, regarding the "established" keyword - what happens if you don't use that command?
If you could give me some pointers there it would be much appreciated.
Sorry for the extended delay. Are you still working on this? Do you need more information? I hope you've got everything working by now! What do you want to do with this question?

qumpusAuthor Commented:

Yes we are still working on this. We have gone outside and asked for some help from a consultant.

We are currently in the process of implementing an ACL on the inbound of our Internet facing interfaces with the help of CBAC and reflective ACL’s using “ip inspect” statements. This seemed to work good in our tests, but once in production we experienced very intermittent issues with Internet/Email. Any ideas?

- qumpus
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.