Cisco IOS ACL: Don't permit incoming connections just because they are from port 80
I am going much based on my memory and I may not be correct on all of this.
On a Cisco 851 (IOS) that uses a BVI or a bridge-route (the servers on the inside are configured with static and public IP addresses). I would apply two access lists (both end with deny ip any any log
) on FastEthernet4 (the WAN port). There would be one for FA4 in and another for FA4 out.
FA4 out would have a line like
access-list 110 permit 98.76.54.0 0.0.0.255 gt 1023 any eq http
I think this means from 98.76.54.* with a from port of at least 1024 can connect to any other machine with a destination port 80.
So, then I have to allow the response to the HTTP connection.
FA4 in would have a line like
access-list 120 permit any eq http 98.76.54.0 0.0.0.255 gt 1023
Now the problem with that is that anybody on the outside can set their from port to port 80 and then connect to any inside port that is at least 1024.
How do we prevent this and require the incoming data to be a response to the outgoing data.
Solution 1:
You will want to permit any established connections, so something like this:
access-list 120 permit tcp any 98.76.54.0 0.0.0.255 established
https://supportforums.cisco.com/docs/DOC-1870;jsessionid=CDF341D626FB4FBBF03859E5610B0344.node0