Cisco IOS ACL: Don't permit incoming connections just because they are from port 80

Posted by cjavapro on Server Fault See other posts from Server Fault or by cjavapro
Published on 2010-12-29T17:42:13Z Indexed on 2010/12/29 17:56 UTC
Read the original article Hit count: 256

Filed under:
|
|

I am going much based on my memory and I may not be correct on all of this.

On a Cisco 851 (IOS) that uses a BVI or a bridge-route (the servers on the inside are configured with static and public IP addresses). I would apply two access lists (both end with deny ip any any log) on FastEthernet4 (the WAN port). There would be one for FA4 in and another for FA4 out.
FA4 out would have a line like

access-list 110 permit 98.76.54.0 0.0.0.255 gt 1023 any eq http

I think this means from 98.76.54.* with a from port of at least 1024 can connect to any other machine with a destination port 80.

So, then I have to allow the response to the HTTP connection.
FA4 in would have a line like

access-list 120 permit any eq http 98.76.54.0 0.0.0.255 gt 1023

Now the problem with that is that anybody on the outside can set their from port to port 80 and then connect to any inside port that is at least 1024.

How do we prevent this and require the incoming data to be a response to the outgoing data.

© Server Fault or respective owner

Related posts about cisco

Related posts about acl