Hi all,
I think I can explain what is going on.
The access list you've described is going to drop all traffic initiated
from your internal network, where your hosts select a source port in the
range specified in your Access list.
For example, your internal host X attempts to telnet to a Server on the
Internet S. The packet stream is initiated with a destination of S, port
23, and a source of X, port 40001.
Assuming no other access lists, this packet enters inbound to the router,
and exits the router, with no problems. The server, then responds,
swapping the source and destination: Now, we have a source of S, port 23,
with a destination of X, port 40001. This is blocked by your specified
access list, when the packet returns inbound to your network.
If your goal in writing your access list was to prevent connections to be
INITIATED to ports 40000 - 45000, then you will want to look at the
Established keyword. That could take the following form:
access-list 101 permit tcp any any range 40000 45000 established
(permit traffic streams that have been initiated from 'inside')
access-list 101 deny tcp any any range 40000 45000 log
(deny initial attempts to this range and log them)
access-list 101 permit ip any any
(permit all else IP)
If the Firewall-1 is doing proxy services and sources traffic from the
40000 range, then that is why your traffic stops when you apply your
access-list.
I hope that makes sense. Let me know if further clarification is needed.
Thanks,
Lisa Napier
Product Security Incident Response Team
Cisco Systems
At 01:37 PM 11/16/1999 -0500, Engasser, Charlie wrote:
>I have a combo question.
>
> I am running Firewall-1 3.0b 3048, and my router is a Cisco 2611
>running 12.0.6t.
>
> We are getting alot of chatter traffic on high ports above 30k
>coming inbound that appear to be associated with web browsing. The
>firewall blocks this traffic, and everything works fine. However if I
>create an ACL on the router that denys the traffic such as:
>
>on ser 0/1:
>
> access-list 101 in
>
>access-list 101 deny tcp any any range 40000 45000 log
>access-list 101 permit ip any any
>
> Then the traffic stops flowing.
>
>can anyone explain this?
>
>Charles Engasser
>Contracted Network Engineer
>Joint STARS; Joint Test Force.
>SC; Titan Inc.
>(407) or (321) 726-7048
>(407) or (321) 726-7243 (fax)
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
