asked on
Cisco router 881G
Experts,
I have an 881G with an internet connection. I have an ACL on the router applied inbound on the outside interface.
Traffic will overload out the outside interface.
I find that I have to allow ANY tcp inbound to the outside interface or web browsing does not work. I tried just www, and 443 but that doesnt work. Is it because web traffic goes outbound on port 80 or 443 but comes inbound on a high port?
Is there a way to make the router stateful like a firewall?
I have an 881G with an internet connection. I have an ACL on the router applied inbound on the outside interface.
Traffic will overload out the outside interface.
I find that I have to allow ANY tcp inbound to the outside interface or web browsing does not work. I tried just www, and 443 but that doesnt work. Is it because web traffic goes outbound on port 80 or 443 but comes inbound on a high port?
Is there a way to make the router stateful like a firewall?
RoutersCisco
Last Comment
trojan81
ASKER
Garry-G, thank you.
if I create a statement such as:
permit tcp any host 99.99.99.99 established
That would mean that the internet WOULD NOT be able to simply initiate tcp connections into my outside interface (and overload IP) 99.99.99.99?
if I create a statement such as:
permit tcp any host 99.99.99.99 established
That would mean that the internet WOULD NOT be able to simply initiate tcp connections into my outside interface (and overload IP) 99.99.99.99?
Correct, only already established TCP sessions are let through ... (essentially, anything without SYN and/or ACK), as long as there is no other permit statement after or before that would allow it. But make sure you also allow the SYN ACK packets in, as without them, the three-way handshake won't work ...
Of course you can also add permits to that, e.g. for incoming SMTP:
permit tcp any host 99.99.99.99 eq 25
Of course you can also add permits to that, e.g. for incoming SMTP:
permit tcp any host 99.99.99.99 eq 25
ASKER
Gary,
If I have:
permit tcp any host 99.99.99.99 established
and assume computer overloads out of 99.99.99.99 for internet, the return traffic coming back is considered established traffic?
Would the command to allow syn ACK be:
permit tcp any host 99.99.99.99 eq syn ack
or would the above allow both syn or ack? Seems to work like I want it to if I have the "established" entry even without having to add the "syn ack" statement and I dont have any other permits.
If I have:
permit tcp any host 99.99.99.99 established
and assume computer overloads out of 99.99.99.99 for internet, the return traffic coming back is considered established traffic?
Would the command to allow syn ACK be:
permit tcp any host 99.99.99.99 eq syn ack
or would the above allow both syn or ack? Seems to work like I want it to if I have the "established" entry even without having to add the "syn ack" statement and I dont have any other permits.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
well done!
In the simplest case, allow incoming TCP connections that have SYN+ACK set, as well as the ones that are "established", while denying any (unwanted) TCP connections with just SYN set.