Solved

Cisco 2811 router and opening ports 80 and 443

Posted on 2006-11-03
3
2,098 Views
Last Modified: 2012-08-13
Hi all
I am running server 2003 domain ent edition wiath AD,DNS,DHCP servers.  I am in the process of installaing sophos appliance WS 1000 for web cache (http traffic filtering) and malware filtereing for my domain.  The applicance has two ports at the back one LAN and one WAN.  Under the configuration of the appliance I have to firewall cisco 2811 to accept port 80 and 443 only from this appliance:
Questions:
-120 permit tcp any host 64.xx.xxx.xxx eq www does this command opens up port 80 on this firewall for this appliance of sophos ?
-120 permit tcp any host 64.xx.xxx.xxx eq 443 opens up 443 on this appliance?
If yes
there are other servers on my domain which have ports:
-120 permit tcp any host 64.xx.xxx.xxx eq www opened should I close it?
-120 permit tcp any host 64.xx.xxx.xxx eq 443 (this is excahnge server) do I have to close it?
Configuration:
Other configuration I am thinking of is to make this router the default gateway of my servers which are default gateway for http traffic of my clients.  So that all http traffic has to pass through this appliance.  Is it a good set up to think off?
Help plz
AM


0
Comment
Question by:amanzoor
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 1

Accepted Solution

by:
ex-engineer earned 400 total points
ID: 17866514
AM:

You're on the right track. You have to know the correct syntax for creating extended access-lists. You can very easily go to the Cisco website to get that.

It should look something like this:

ip access-list extended PERMIT_SOPHOS
permit <source address> <source mask> <destination address> <destination mask> eq <tcp port number or application keyword>

You get the picture. Remember that there is an implicit "deny all/deny any" at the end of each access list, so make sure you have statements for ALL traffic you want permitted and then the implicit (invisible) "deny all" statement at the end of the access list will block everything else.
0
 
LVL 1

Expert Comment

by:ex-engineer
ID: 17866577
Note: When i say destination or soucre mask, I am talkign about a wildcard mask. And also, after the permit keyword, you can specify the general protocol (IP, TCP, UDP, ICMP, etc).

Go to Cisco's website.

http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_command_reference_chapter09186a008017d1d4.html#wp1078593
0
 
LVL 4

Assisted Solution

by:neoponder
neoponder earned 100 total points
ID: 17868045
just make sure you apply it on the right interface in the right direction.

i.e. you want it on the inbound side of the external interface...

ip access-group 120 in
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question