Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 463
  • Last Modified:

Cisco router 881G

Experts,

I have an 881G with an internet connection. I have an ACL on the router applied inbound on the outside interface.
Traffic will overload out the outside interface.
I find that I have to allow ANY tcp inbound to the outside interface or web browsing does not work. I tried just www, and 443 but that doesnt work.  Is it because web traffic goes outbound on port 80 or 443 but comes inbound on a high port?
Is there a way to make the router stateful like a firewall?
0
trojan81
Asked:
trojan81
  • 3
  • 3
1 Solution
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
ACLs typically are stateless on Cisco routers, contrary to how Firewalls work (which, on statefull operation, automatically permit returning packets on a connection opened from the inside)

In the simplest case, allow incoming TCP connections that have SYN+ACK set, as well as the ones that are "established", while denying any (unwanted) TCP connections with just SYN set.
0
 
trojan81Author Commented:
Garry-G, thank you.
if I create a statement such as:

permit tcp any host 99.99.99.99 established

That would mean that the internet WOULD NOT be able to simply initiate tcp connections into my outside interface (and overload IP) 99.99.99.99?
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
Correct, only already established TCP sessions are let through ... (essentially, anything without SYN and/or ACK), as long as there is no other permit statement after or before that would allow it. But make sure you also allow the SYN ACK packets in, as without them, the three-way handshake won't work ...

Of course you can also add permits to that, e.g. for incoming SMTP:

permit tcp any host 99.99.99.99 eq 25
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
trojan81Author Commented:
Gary,

If I have:
permit tcp any host 99.99.99.99 established

and assume computer overloads out of 99.99.99.99 for internet, the return traffic coming back is considered established traffic?

Would the command to allow syn ACK be:
permit tcp any host 99.99.99.99 eq syn ack

or would the above allow both syn or ack? Seems to work like I want it to if I have the "established" entry even without having to add the "syn ack" statement and I dont have any other permits.
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
not quite, "eq" is used for port matching, leave it out:

permit tcp any host 99.99.99.99 ack syn

Established is any TCP traffic without syn and ack set ...
0
 
trojan81Author Commented:
well done!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now