Table of Contents
Advertisement
Document No. 10-300077, Issue 2
The rules for implementing the above restrictions would be as follows:
Rule #
Rule
1
allow Any to call WS dest port 80
2
allow WS to respond
3
allow WS to IN
4
deny WS to Any (Outside)
5
allow IN to Any
6
deny remaining traffic from Outside to Any
Rules 1 and 2 collectively manage Web traffic to and from the Web server
(WS). Rule 1 says that any source address can get to the Web server's IP
address using destination port 80. Because the TCP Established criteria is
unchecked, hosts from any network can send a TCP "call setup" message as
a first step in requesting a Web page.
Rule 2 says that the Web server may respond to any (TCP) Web request.
Although it can send a message back to any address from any source port,
only messages that are in response to a Web request will be forwarded
because TCP Established is checked and the source port criteria is specified.
Rules 3 and 4 handle traffic from the Web server that is not in response to a
Web request. Rule 3 gives the Web server access to the rest of the Inside
networks. And Rule 4 blocks the Web server from getting to the rest of the
networks (Outside).
Rule 5 gives the hosts on the Inside network access to any network.
Rule 6 blocks any other host from using resources on any of the Inside
networks.
* Note: In this simple example, pseudo-rules are used. In practice, the
pseudo-rule "allow WS to IN" would require that you create
rules that forward traffic from the Web server's IP address to
each network on the Inside explicitly. If you had 30 inside
networks, you'd create 30 rules. This is where a subnetted
network would be powerful; because you could summarize
subnets into a few rules.
Configuring Access Lists
TCP
Established
Un-Checked
Checked
Un-Checked
Un-Checked
Un-Checked
Un-Checked
13-5
Advertisement
Table of Contents
