Cisco router 881G

Experts,

I have an 881G with an internet connection. I have an ACL on the router applied inbound on the outside interface.
Traffic will overload out the outside interface.
I find that I have to allow ANY tcp inbound to the outside interface or web browsing does not work. I tried just www, and 443 but that doesnt work.  Is it because web traffic goes outbound on port 80 or 443 but comes inbound on a high port?
Is there a way to make the router stateful like a firewall?
trojan81Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Garry GlendownConsulting and Network/Security SpecialistCommented:
ACLs typically are stateless on Cisco routers, contrary to how Firewalls work (which, on statefull operation, automatically permit returning packets on a connection opened from the inside)

In the simplest case, allow incoming TCP connections that have SYN+ACK set, as well as the ones that are "established", while denying any (unwanted) TCP connections with just SYN set.
trojan81Author Commented:
Garry-G, thank you.
if I create a statement such as:

permit tcp any host 99.99.99.99 established

That would mean that the internet WOULD NOT be able to simply initiate tcp connections into my outside interface (and overload IP) 99.99.99.99?
Garry GlendownConsulting and Network/Security SpecialistCommented:
Correct, only already established TCP sessions are let through ... (essentially, anything without SYN and/or ACK), as long as there is no other permit statement after or before that would allow it. But make sure you also allow the SYN ACK packets in, as without them, the three-way handshake won't work ...

Of course you can also add permits to that, e.g. for incoming SMTP:

permit tcp any host 99.99.99.99 eq 25
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

trojan81Author Commented:
Gary,

If I have:
permit tcp any host 99.99.99.99 established

and assume computer overloads out of 99.99.99.99 for internet, the return traffic coming back is considered established traffic?

Would the command to allow syn ACK be:
permit tcp any host 99.99.99.99 eq syn ack

or would the above allow both syn or ack? Seems to work like I want it to if I have the "established" entry even without having to add the "syn ack" statement and I dont have any other permits.
Garry GlendownConsulting and Network/Security SpecialistCommented:
not quite, "eq" is used for port matching, leave it out:

permit tcp any host 99.99.99.99 ack syn

Established is any TCP traffic without syn and ack set ...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
trojan81Author Commented:
well done!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.