Solved

Cisco router 881G

Posted on 2012-03-10
6
451 Views
Last Modified: 2012-03-15
Experts,

I have an 881G with an internet connection. I have an ACL on the router applied inbound on the outside interface.
Traffic will overload out the outside interface.
I find that I have to allow ANY tcp inbound to the outside interface or web browsing does not work. I tried just www, and 443 but that doesnt work.  Is it because web traffic goes outbound on port 80 or 443 but comes inbound on a high port?
Is there a way to make the router stateful like a firewall?
0
Comment
Question by:trojan81
  • 3
  • 3
6 Comments
 
LVL 17

Expert Comment

by:Garry-G
ID: 37706414
ACLs typically are stateless on Cisco routers, contrary to how Firewalls work (which, on statefull operation, automatically permit returning packets on a connection opened from the inside)

In the simplest case, allow incoming TCP connections that have SYN+ACK set, as well as the ones that are "established", while denying any (unwanted) TCP connections with just SYN set.
0
 

Author Comment

by:trojan81
ID: 37707825
Garry-G, thank you.
if I create a statement such as:

permit tcp any host 99.99.99.99 established

That would mean that the internet WOULD NOT be able to simply initiate tcp connections into my outside interface (and overload IP) 99.99.99.99?
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 37708450
Correct, only already established TCP sessions are let through ... (essentially, anything without SYN and/or ACK), as long as there is no other permit statement after or before that would allow it. But make sure you also allow the SYN ACK packets in, as without them, the three-way handshake won't work ...

Of course you can also add permits to that, e.g. for incoming SMTP:

permit tcp any host 99.99.99.99 eq 25
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:trojan81
ID: 37713214
Gary,

If I have:
permit tcp any host 99.99.99.99 established

and assume computer overloads out of 99.99.99.99 for internet, the return traffic coming back is considered established traffic?

Would the command to allow syn ACK be:
permit tcp any host 99.99.99.99 eq syn ack

or would the above allow both syn or ack? Seems to work like I want it to if I have the "established" entry even without having to add the "syn ack" statement and I dont have any other permits.
0
 
LVL 17

Accepted Solution

by:
Garry-G earned 500 total points
ID: 37713312
not quite, "eq" is used for port matching, leave it out:

permit tcp any host 99.99.99.99 ack syn

Established is any TCP traffic without syn and ack set ...
0
 

Author Closing Comment

by:trojan81
ID: 37726432
well done!
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question