?
Solved

Cisco router 881G

Posted on 2012-03-10
6
Medium Priority
?
456 Views
Last Modified: 2012-03-15
Experts,

I have an 881G with an internet connection. I have an ACL on the router applied inbound on the outside interface.
Traffic will overload out the outside interface.
I find that I have to allow ANY tcp inbound to the outside interface or web browsing does not work. I tried just www, and 443 but that doesnt work.  Is it because web traffic goes outbound on port 80 or 443 but comes inbound on a high port?
Is there a way to make the router stateful like a firewall?
0
Comment
Question by:trojan81
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 37706414
ACLs typically are stateless on Cisco routers, contrary to how Firewalls work (which, on statefull operation, automatically permit returning packets on a connection opened from the inside)

In the simplest case, allow incoming TCP connections that have SYN+ACK set, as well as the ones that are "established", while denying any (unwanted) TCP connections with just SYN set.
0
 

Author Comment

by:trojan81
ID: 37707825
Garry-G, thank you.
if I create a statement such as:

permit tcp any host 99.99.99.99 established

That would mean that the internet WOULD NOT be able to simply initiate tcp connections into my outside interface (and overload IP) 99.99.99.99?
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 37708450
Correct, only already established TCP sessions are let through ... (essentially, anything without SYN and/or ACK), as long as there is no other permit statement after or before that would allow it. But make sure you also allow the SYN ACK packets in, as without them, the three-way handshake won't work ...

Of course you can also add permits to that, e.g. for incoming SMTP:

permit tcp any host 99.99.99.99 eq 25
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:trojan81
ID: 37713214
Gary,

If I have:
permit tcp any host 99.99.99.99 established

and assume computer overloads out of 99.99.99.99 for internet, the return traffic coming back is considered established traffic?

Would the command to allow syn ACK be:
permit tcp any host 99.99.99.99 eq syn ack

or would the above allow both syn or ack? Seems to work like I want it to if I have the "established" entry even without having to add the "syn ack" statement and I dont have any other permits.
0
 
LVL 18

Accepted Solution

by:
Garry Glendown earned 2000 total points
ID: 37713312
not quite, "eq" is used for port matching, leave it out:

permit tcp any host 99.99.99.99 ack syn

Established is any TCP traffic without syn and ack set ...
0
 

Author Closing Comment

by:trojan81
ID: 37726432
well done!
0

Featured Post

Enroll in August's Course of the Month

August's CompTIA IT Fundamentals course includes 19 hours of basic computer principle modules and prepares you for the certification exam. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question