? about reflecting tcptraffic from a newbie

By cewcathar ·
Hi, I'm totally new to this, am studying for the CCNA.

I want to know about using refect tcptraffic on a router to filter traffic between the internet and a proxy server (my design has a proxy web server; a backup proxy web server, and an email server; I want to open just port 22 on the email server so that email is transferred by the secure sockets--so maybe I only need port 22 and SMTP; no POP3 for that server; and only http/tcp for the others).

The filter is to assure that no internet traffic reaches me except the traffic I've requested . . . I have these questions:

1. I want to allow http smtp, and icmp traffic only I think--so I'm using reflect tcptraffic statements for these protocols -- will this work?;

Should I use a reflect tcptraffic statement for the tcp ? or for the http ? protocol after a deny ftp traffic statement (I don't want to allow file transfer I don't think; I'm confused too here; am I allowed two statements one for the tcp protocol and one for the http protocol? -- do I need both?? )

2. I gather I cannot use a reflect tcptraffic statement with the icmp protocol, because in fact if ping will work, what about tracert (trace route)? Will packets whose time to live has expired, which are sent back from routers along the way, still get back to me, since they will not be coming back from a requested address, but from an intermediate router?

If they won't, is there any reason I'd really want to have tracert?

I gather I am maybe to use instead a permit icmp traffic statement for traffic going out the serial port to any address on the internet outside (that is, not going to an internal address)? Followed by an evaluate icmp traffic statement for inbound traffic on the serial port?

But will I have any connectivity problems thus? I assume not? What if I only allow icmp traffic out from the network adminstrator's computer who can check sites? And only back to him/her??

{An alternative I understand is to allow icmp when the packet is echo, echo-reply, time-exceeded, or unreachable

Is this correct?

What about packet-too-big ??? Do I need those icmp packets?? Am I allowed all these different icmp permit statements for the same interface and direction? }

I'm still really confused because I understand I am only allowed 1 statement per interface, per protocol, per direction (though I gather I can have both a permit and a deny statement for each protocol in each direction on each interface).

3. Will I have any connectivity problems if I just block internet traffic to port 79 (the fingering port) altogether?? I assume not.

Thanks. Sorry to ask anything dumb, because I really don't know (I took one course in this a while back; have a study book; no place to practice)

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

This might help you. (or not depending on your study)..

Collapse -

Thanks for the google link

by cewcathar In reply to This might help you. (or ...

There's a lot of stuff indexed at google; I'll check it out. Thanks!

Collapse -

What also about ppp and a serial connection with a reflexive access list

by cewcathar In reply to ? about reflecting tcptra ...

One more thing: Is it also possible to configure a reflexive access list for a point-to-point connection?

So that my access to the internet can be controlled with a reflexive access list.

* * *
P.S. I did finally find out there are certain icmp packets I should allow--such as packet-to-big, administratively prohibited, etc, these help connectivity;
all others thus should not be allowed except for those that explicitly help connectivity--that's the best way to do this!

Collapse -

Example of reflexive access list with ppp serial connection? Is this o.k.?

by cewcathar In reply to ? about reflecting tcptra ...

My configurations for the reflexive access lists are near the bottom of

(scroll up to just above the serial configuration which is just above the routing protocol configuration at the bottom of the page)

Can I have the ext-nacl 's with a serial connection to the WAN/Internet?

Here's a diagram of the network (except the computer that handles ftp should handle only sftp--anyway it's just a computer you can port a cd to to transfer files to/from the wan or internet outside)

(I've not configured a router yet; I've connected windows to a wireless network; and I've done a little telnetting in a class ona linux red hat network--plus tried briefly being root--but no router configuration; that's it; so my ?s are sort of dumb; I have the book and what I can get online . . .)

Related Discussions

Related Forums