[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now


ACL on Cisco IOS

Posted on 2006-06-20
Medium Priority
Last Modified: 2012-05-05
I need to implement an ACL on our Cisco 2821 router.  This router controls connectivity to our web server.  We have several domains hosted here, and a few of which make outbound Web Requests (for a web services-like transactions).  So because of the nature of the HTTP protocol, I'm unsure of how to implement the ACL in order to allow outbound traffic from the web server out to other sites.  The code on our web portals makes these web requests out to other URL's.  

So when outbound requests are made, they come from a random port on the senders machine, and port 80 on the destination machine.  How can I enable a safe ACL on our router when the outbound requests leave from random ports?  Is there some way that I can force these outbound requests on the web server to always use some arbitrary port on our web server that I specify?

Hope this makes sense, please help!  We need to lock down the web server soon since we have had some un-friendly intruders.
Question by:qumpus
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 79

Expert Comment

ID: 16946530
ACLS's get tricky if you don't know what you're doing.
Do you already have any ACL's in place?
Do you have a firewall? Do you have the firewall feature set on the router?

There are two ways to implement acls -
On the WAN interface - inbound. This is where I would assume you allow incomming www requests to the server(s). you can implement an acl with "established" keyword which makes it dynamic for the duration of the established communications.

On the LAN interface - inbound. This is where you would restrict outbound connections that originate on the LAN (i.e. servers initiating transactions). You can specify the IP addresses of the hosts for these transactions, and allow normal www traffic out, but you also have to be sure to allow DNS and other required traffic. Here's an example of an outbound restriction acl:

ip access-list extended OUTBOUND
\\-- allow your server host to initiate transaction with host + host a.b.c.d
 permit tcp host gt 1024 host eq 80
 permit tcp host gt 1024 host eq 443
 permit tcp host gt 1024 host a.b.c.d eq 80  
\\-- allow server outbound
 permit tcp host eq 80 any
\\-- allow dns outbound from dns server
 permit udp host any eq 53
\\-- log all denied traffic for troubleshooting
 deny ip any any log

interface Fast0/0
  ip access-group OUTBOUND in


Author Comment

ID: 16969288
Hey thanks for the insight.
To answer your questions:
 - Yes we do have some ACL's in place for NAT routing/mapping, etc. but not for restricting inbound traffic to our servers

The deal is that we were going to try and avoid locking down the entire network right away and focus strictly on the web server... our network is still in its infant stages and I wanted to keep the ACL simple.
In our current setup we have two gigabit interfaces facing the internet for load balancing and redundancy, and four VLAN interfaces facing in.
VLAN10 – E-mail server
VLAN30 – Web server
VLAN50 – VPN server
So the original strategy was to implement an ACL on VLAN30 “out” to restrict traffic coming in to the web server from the internet, and allow traffic in from our other internal subnets. This worked great, and as expected for inbound, but for whatever reason this completely blocked all outbound traffic from the web server on VLAN30. Correct me if I’m wrong, but to accomplish that I would have to put an ACL on VLAN30 “in” – right?
So anyway, I think we’re going to ditch that plan, and try to define ALL inbound traffic and place the ACL on the two gigabit interfaces “in” – as suggested by Cisco for best practices.
Let me know what you think!


Author Comment

ID: 16969374
...didn't mean to hit enter yet...

To answer your other question:
 - Yes, we do have the Firewall Feature set on the router
 - Yes, we also have a firewall. We are using an ISA Firewall with two NICs as a VPN endpoint to remote users, and also as a Proxy server for Internet access. (VLAN50 above)

Also, regarding the "established" keyword - what happens if you don't use that command?
If you could give me some pointers there it would be much appreciated.
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 79

Expert Comment

ID: 17258819
Sorry for the extended delay. Are you still working on this? Do you need more information? I hope you've got everything working by now! What do you want to do with this question?


Author Comment

ID: 17264181

Yes we are still working on this. We have gone outside and asked for some help from a consultant.

We are currently in the process of implementing an ACL on the inbound of our Internet facing interfaces with the help of CBAC and reflective ACL’s using “ip inspect” statements. This seemed to work good in our tests, but once in production we experienced very intermittent issues with Internet/Email. Any ideas?

- qumpus
LVL 79

Accepted Solution

lrmoore earned 500 total points
ID: 17265527
Intermittent issues typically point to things like mss settings, fragmentation issues, MTU issues, black hole, dns issues. Many of these are overcome by simply allowing inbound icmp unreachables and packet-too-big so the clients can adjust dynamically using basic sliding window and MTU detect mechanisms already built into the systems.
Depending on your WAN connection, you may have to set the outside interface MTU to lower than the default 1500.  I.e. DSL with pppoe carries an 8-bit overhead and causes many issues with fragmentation.

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question