1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Allow www inbound trafic only!!!

Discussion in 'Networks' started by albertc30, Sep 30, 2008.

  1. albertc30

    albertc30 Kilobyte Poster

    423
    1
    37
    Hello you guys.
    Here I am again.
    Now that my cisco is up and running here is some more questions, sorry....

    I want to block all inbound traffic from the internet at the exception of www.
    What is wrong in my config bellow???

    Cheers,
    Albert, C

    interface Dialer1
    ip address negotiated
    ip access-group 101 in
    ip nat outside
    encapsulation ppp
    dialer pool 1
    keepalive 18000
    ppp chap hostname bthomehub@btbroadband.com
    ppp chap password 0 password
    ppp pap sent-username bthomehub@btbroadband.com password 0 password
    !
    ip nat inside source list 1 interface Dialer1 overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1
    no ip http server
    !
    access-list 1 permit 192.168.28.8 0.0.0.7
    access-list 101 remark Traffic allowed to enter the router from the internet
    access-list 101 permit tcp any any eq www
    access-list 101 deny ip any any
     
    Certifications: CCNA
    WIP: 220-701 - A+
  2. negseven

    negseven New Member

    7
    0
    1
    with your deny ip any any
    you are blocking all other traffic ....TCP and UDP
     
  3. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    I would suggest using the IOS firewall, if it is part of the ios image on your router. In global config, type "ip inspect ?" to see it is available. If it is not available you can use a reflexive access-list, or a regular access-list, to filter incoming traffic.


    Spice_Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE
  4. albertc30

    albertc30 Kilobyte Poster

    423
    1
    37
    Hello negseven/Spice_Weasel

    But that is what I would like to do. Block inside access to the internet for everything other than traffic directed to www (80), hence the line access-list 101 permit tcp any any eq www.

    I am working in small steeps here. Create the access list and apply it and then trying to access the internet and see if it is working and then access a https (443) which should be denied and she if it is being denied.

    Unfortunately I do not have the firewall option in my IOS the only command line I have under IP in global conf is ICMP.

    I'll keep on trying.

    Cheers

    P.S: The mad icon is me hangry with my problem guys and not at you.
     
    Certifications: CCNA
    WIP: 220-701 - A+
  5. negseven

    negseven New Member

    7
    0
    1
    Yes but you are blocking everything other than port 80 coming back in
    i.e DNS port 53 (DNS query) etc etc etc , see where we are going with this ?
    read up on weasels advice
     
  6. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    albertc30,

    Since you don't have ip inspect available, inbound and outbound access-lists are a simple solution. One access-list will filter traffic from your lan to the Internet, one filtering traffic from the Internet arriving in to your router. You can use regular access-lists, which are static, or reflexive lists, which can be used to allow return traffic that was initiated from the inside.

    Example (using regular access-lists):
    ip access-list ext outbound
    permit tcp 192.168.28.8 0.0.0.7 any eq 80
    deny ip any any

    ip access-list ext inbound
    deny ip any 192.168.28.8 0.0.0.7 log
    permit tcp any eq 80 any
    deny ip any any

    interface dialer1
    ip access-group inbound in
    ip access-group outbound out

    The above would permit only host on the internal network (192.168.28.8 /29) to access http on the Internet. Everything else (ip) would be blocked - keep that in mind! You might want to permit dns as well :)

    You would need to add more to the access-lists, but the above gives you an example of the basic idea.

    Spice_Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE
  7. albertc30

    albertc30 Kilobyte Poster

    423
    1
    37
    So correct me if I am wrong.

    I must have two access lists? One for outbound traffic and one fro inbound traffic?

    Cheers Spice_Weasel and everybody else.

    I shall keep on digging but for now is time only to do some revisions as I am about to take my CCNA module 2 exam and guess what you guys??? The college where I was/am taking CCNA doesn't know if they are going to lecture modules 3 and 4 to finish the course, great commitment from the college, I'm might be stuck halfway, don't know what to do....
     
    Certifications: CCNA
    WIP: 220-701 - A+

Share This Page

Loading...