[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


ACL on Cisco IOS

Posted on 2006-06-20
Medium Priority
Last Modified: 2012-05-05
I need to implement an ACL on our Cisco 2821 router.  This router controls connectivity to our web server.  We have several domains hosted here, and a few of which make outbound Web Requests (for a web services-like transactions).  So because of the nature of the HTTP protocol, I'm unsure of how to implement the ACL in order to allow outbound traffic from the web server out to other sites.  The code on our web portals makes these web requests out to other URL's.  

So when outbound requests are made, they come from a random port on the senders machine, and port 80 on the destination machine.  How can I enable a safe ACL on our router when the outbound requests leave from random ports?  Is there some way that I can force these outbound requests on the web server to always use some arbitrary port on our web server that I specify?

Hope this makes sense, please help!  We need to lock down the web server soon since we have had some un-friendly intruders.
Question by:qumpus
  • 3
  • 3
LVL 79

Expert Comment

ID: 16946530
ACLS's get tricky if you don't know what you're doing.
Do you already have any ACL's in place?
Do you have a firewall? Do you have the firewall feature set on the router?

There are two ways to implement acls -
On the WAN interface - inbound. This is where I would assume you allow incomming www requests to the server(s). you can implement an acl with "established" keyword which makes it dynamic for the duration of the established communications.

On the LAN interface - inbound. This is where you would restrict outbound connections that originate on the LAN (i.e. servers initiating transactions). You can specify the IP addresses of the hosts for these transactions, and allow normal www traffic out, but you also have to be sure to allow DNS and other required traffic. Here's an example of an outbound restriction acl:

ip access-list extended OUTBOUND
\\-- allow your server host to initiate transaction with host + host a.b.c.d
 permit tcp host gt 1024 host eq 80
 permit tcp host gt 1024 host eq 443
 permit tcp host gt 1024 host a.b.c.d eq 80  
\\-- allow server outbound
 permit tcp host eq 80 any
\\-- allow dns outbound from dns server
 permit udp host any eq 53
\\-- log all denied traffic for troubleshooting
 deny ip any any log

interface Fast0/0
  ip access-group OUTBOUND in


Author Comment

ID: 16969288
Hey thanks for the insight.
To answer your questions:
 - Yes we do have some ACL's in place for NAT routing/mapping, etc. but not for restricting inbound traffic to our servers

The deal is that we were going to try and avoid locking down the entire network right away and focus strictly on the web server... our network is still in its infant stages and I wanted to keep the ACL simple.
In our current setup we have two gigabit interfaces facing the internet for load balancing and redundancy, and four VLAN interfaces facing in.
VLAN10 – E-mail server
VLAN30 – Web server
VLAN50 – VPN server
So the original strategy was to implement an ACL on VLAN30 “out” to restrict traffic coming in to the web server from the internet, and allow traffic in from our other internal subnets. This worked great, and as expected for inbound, but for whatever reason this completely blocked all outbound traffic from the web server on VLAN30. Correct me if I’m wrong, but to accomplish that I would have to put an ACL on VLAN30 “in” – right?
So anyway, I think we’re going to ditch that plan, and try to define ALL inbound traffic and place the ACL on the two gigabit interfaces “in” – as suggested by Cisco for best practices.
Let me know what you think!


Author Comment

ID: 16969374
...didn't mean to hit enter yet...

To answer your other question:
 - Yes, we do have the Firewall Feature set on the router
 - Yes, we also have a firewall. We are using an ISA Firewall with two NICs as a VPN endpoint to remote users, and also as a Proxy server for Internet access. (VLAN50 above)

Also, regarding the "established" keyword - what happens if you don't use that command?
If you could give me some pointers there it would be much appreciated.
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

LVL 79

Expert Comment

ID: 17258819
Sorry for the extended delay. Are you still working on this? Do you need more information? I hope you've got everything working by now! What do you want to do with this question?


Author Comment

ID: 17264181

Yes we are still working on this. We have gone outside and asked for some help from a consultant.

We are currently in the process of implementing an ACL on the inbound of our Internet facing interfaces with the help of CBAC and reflective ACL’s using “ip inspect” statements. This seemed to work good in our tests, but once in production we experienced very intermittent issues with Internet/Email. Any ideas?

- qumpus
LVL 79

Accepted Solution

lrmoore earned 500 total points
ID: 17265527
Intermittent issues typically point to things like mss settings, fragmentation issues, MTU issues, black hole, dns issues. Many of these are overcome by simply allowing inbound icmp unreachables and packet-too-big so the clients can adjust dynamically using basic sliding window and MTU detect mechanisms already built into the systems.
Depending on your WAN connection, you may have to set the outside interface MTU to lower than the default 1500.  I.e. DSL with pppoe carries an 8-bit overhead and causes many issues with fragmentation.

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question