Still have ACL problem

[jonks]

I am still having problems with an ACL. I have to permit a number of internal machines to allow them access via IP to a confidential network.

I however need to allow acces from the web. through a checkpoint FW1 which uses NAT. The only access they need is HTTP. i have setup the ACL as below but are still not getting any hits against the HTTP rule.;

permit 80 any any log-input
permit ip host x.x.x.x any log-input
permit ip host x.x.x.x any log-input
permit ip host x.x.x.x any log-input (74 matches)
permit ip host x.x.x.x any log-input
permit ip host x.x.x.x any log-input (1264 matches)
permit ip host x.x.x.x any log-input
permit ip host x.x.x.x any log-input
permit ip host x.x.x.x any log-input
permit ip host x.x.x.x any log-input

What am i doing wrong

 

[yizhar]

HI!

HTTP uses TCP port #80 and not IP protocol 80.
So the first line should be

permit tcp ... ... ... ... eq 80

You should also remember that permitting trafic in one direction on the router,
does not automaticaly permit the return trafic, so if the interface in the web server side has also an access-list, you'll have to add a line for return trafic. (source TCP port eq 80, and using the "established" parameter).

However filtering using ACL isn't so good.
It is better to implement filterring using your firewall or by installing IOS firewall on your router.

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[jonks]

Many thanks this has solved my problem