Solved

ACL on Cisco IOS

Posted on 2006-06-20
8
896 Views
Last Modified: 2012-05-05
I need to implement an ACL on our Cisco 2821 router.  This router controls connectivity to our web server.  We have several domains hosted here, and a few of which make outbound Web Requests (for a web services-like transactions).  So because of the nature of the HTTP protocol, I'm unsure of how to implement the ACL in order to allow outbound traffic from the web server out to other sites.  The code on our web portals makes these web requests out to other URL's.  

So when outbound requests are made, they come from a random port on the senders machine, and port 80 on the destination machine.  How can I enable a safe ACL on our router when the outbound requests leave from random ports?  Is there some way that I can force these outbound requests on the web server to always use some arbitrary port on our web server that I specify?

Hope this makes sense, please help!  We need to lock down the web server soon since we have had some un-friendly intruders.
0
Comment
Question by:qumpus
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
8 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 16946530
ACLS's get tricky if you don't know what you're doing.
Do you already have any ACL's in place?
Do you have a firewall? Do you have the firewall feature set on the router?

There are two ways to implement acls -
On the WAN interface - inbound. This is where I would assume you allow incomming www requests to the server(s). you can implement an acl with "established" keyword which makes it dynamic for the duration of the established communications.

On the LAN interface - inbound. This is where you would restrict outbound connections that originate on the LAN (i.e. servers initiating transactions). You can specify the IP addresses of the hosts for these transactions, and allow normal www traffic out, but you also have to be sure to allow DNS and other required traffic. Here's an example of an outbound restriction acl:

ip access-list extended OUTBOUND
\\-- allow your server host 1.2.3.4 to initiate transaction with host 56.78.9.111 + host a.b.c.d
 permit tcp host 1.2.3.4 gt 1024 host 56.78.9.111 eq 80
 permit tcp host 1.2.3.4 gt 1024 host 56.78.9.111 eq 443
 permit tcp host 1.2.3.4 gt 1024 host a.b.c.d eq 80  
\\-- allow server 1.2.3.5 outbound
 permit tcp host 1.2.3.5 eq 80 any
\\-- allow dns outbound from dns server 1.2.3.6
 permit udp host 1.2.3.6 any eq 53
\\-- log all denied traffic for troubleshooting
 deny ip any any log

interface Fast0/0
  ip access-group OUTBOUND in

 
0
 

Author Comment

by:qumpus
ID: 16969288
Hey thanks for the insight.
To answer your questions:
 - Yes we do have some ACL's in place for NAT routing/mapping, etc. but not for restricting inbound traffic to our servers


The deal is that we were going to try and avoid locking down the entire network right away and focus strictly on the web server... our network is still in its infant stages and I wanted to keep the ACL simple.
In our current setup we have two gigabit interfaces facing the internet for load balancing and redundancy, and four VLAN interfaces facing in.
VLAN1- LAN
VLAN10 – E-mail server
VLAN30 – Web server
VLAN50 – VPN server
So the original strategy was to implement an ACL on VLAN30 “out” to restrict traffic coming in to the web server from the internet, and allow traffic in from our other internal subnets. This worked great, and as expected for inbound, but for whatever reason this completely blocked all outbound traffic from the web server on VLAN30. Correct me if I’m wrong, but to accomplish that I would have to put an ACL on VLAN30 “in” – right?
So anyway, I think we’re going to ditch that plan, and try to define ALL inbound traffic and place the ACL on the two gigabit interfaces “in” – as suggested by Cisco for best practices.
Let me know what you think!



0
 

Author Comment

by:qumpus
ID: 16969374
...didn't mean to hit enter yet...

To answer your other question:
 - Yes, we do have the Firewall Feature set on the router
 - Yes, we also have a firewall. We are using an ISA Firewall with two NICs as a VPN endpoint to remote users, and also as a Proxy server for Internet access. (VLAN50 above)

Also, regarding the "established" keyword - what happens if you don't use that command?
If you could give me some pointers there it would be much appreciated.
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 
LVL 79

Expert Comment

by:lrmoore
ID: 17258819
gumpus,
Sorry for the extended delay. Are you still working on this? Do you need more information? I hope you've got everything working by now! What do you want to do with this question?

-Cheers!
0
 

Author Comment

by:qumpus
ID: 17264181
lrmoore,

Yes we are still working on this. We have gone outside and asked for some help from a consultant.

We are currently in the process of implementing an ACL on the inbound of our Internet facing interfaces with the help of CBAC and reflective ACL’s using “ip inspect” statements. This seemed to work good in our tests, but once in production we experienced very intermittent issues with Internet/Email. Any ideas?

- qumpus
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 125 total points
ID: 17265527
Intermittent issues typically point to things like mss settings, fragmentation issues, MTU issues, black hole, dns issues. Many of these are overcome by simply allowing inbound icmp unreachables and packet-too-big so the clients can adjust dynamically using basic sliding window and MTU detect mechanisms already built into the systems.
Depending on your WAN connection, you may have to set the outside interface MTU to lower than the default 1500.  I.e. DSL with pppoe carries an 8-bit overhead and causes many issues with fragmentation.
0

Featured Post

Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question