02-17-2021 11:41 AM
Hello,
I come back to you with a question that pop-up in my mind when I review the conf of my router and still confused me a lot.
First let me illustrated the picture of my network
hots --> sw --> router (on the router I have a pppoe connection, using dialer) --> ISP
On the router the interface that is connected to ISP is f0/0 (where is also the Dialer enable) under the Dialer config I set the ACL named Fierwall-ACL that is set with the command "ip access-group Fierwall-ACL out" and the ACL roules are:
ip access-list extended Firewall-ACL
deny tcp any any eq echo
deny tcp any any eq discard
deny tcp any any eq daytime
deny tcp any any eq chargen
deny tcp any any eq telnet
deny tcp any any eq finger
deny tcp any any eq 3389
deny tcp any any eq 161
deny tcp any any eq 37
deny tcp any any eq 69
deny tcp any any eq ftp-data
deny tcp any any eq ftp
deny ip 224.0.0.0 31.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.0.255.255 any
permit ip any any
The ACL command on the Dailer "ip access-group Fierwall-ACL out" is set out, after my logic and CCNA course about ACL normally I set "in" from inboud, because the trafic from outside (from ISP / Internet ) that come in my network is trafic from out to in and the rules from "Firewall-ACL" I want to block ports, ips, and other to access my network from outside.
The question why in the config is "ip access-group Fierwall-ACL out" instead of "ip access-group Fierwall-ACL in" ?
When I used "ip access-group Fierwall-ACL in" I don't have trffic or acces to net
Hope I explained my problem ok to be understand
Solved! Go to Solution.
02-18-2021 12:07 AM - edited 02-18-2021 12:14 AM
ip access-group Fierwall-ACL out vs ip access-group Fierwall-ACL in
The difference in applying an ACL in or out is pretty easy. When you apply an ACL "in", the router examines all traffic it RECEIVES on the interface against the ACL.
When you apply an ACL "out" on an interface the router examines any traffic attempting to leave that interface against the ACL.
as you connected to interface FastEthernet0 (Dialer). ANd also that you are NATing (Overloaded) on this router?
so your interface F0/0 Dialer is enable. network is like host--->SW--->Router---ISP
now keep focus at Router----ISP link. let say if i apply the access-list Firewall-ACL to the interface of router dialer as towards the inbound ip access-group Fierwall-ACL in (which means ISP Traffic flow towards the routers interface dialer) there is a possibility of network distruption as looking into your access-list. also a point to make the inbound "ip access-group Fierwall-ACL in" is less cpu intensive compare to ip access-group Fierwall-ACL out.
Ideally, if you want to block the access you should apply the ACL-Inbound at SW-->Router (Router connect to swtich Interface) as inbound.
if you runing a enterprise image on the router you can use the IOS-Firewall functionality.
for example If i want to deny RFC 1918 on dialer Interface as inbound my command would be.
ip access-list extended Firewall-ACL description DENY RFC 1918
deny ip 10.0.0.0 0.255.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.0.15.255 any permit ip any any
!
interface Dialer0
ip access-group Fierwall-ACL in
02-18-2021 12:07 AM - edited 02-18-2021 12:14 AM
ip access-group Fierwall-ACL out vs ip access-group Fierwall-ACL in
The difference in applying an ACL in or out is pretty easy. When you apply an ACL "in", the router examines all traffic it RECEIVES on the interface against the ACL.
When you apply an ACL "out" on an interface the router examines any traffic attempting to leave that interface against the ACL.
as you connected to interface FastEthernet0 (Dialer). ANd also that you are NATing (Overloaded) on this router?
so your interface F0/0 Dialer is enable. network is like host--->SW--->Router---ISP
now keep focus at Router----ISP link. let say if i apply the access-list Firewall-ACL to the interface of router dialer as towards the inbound ip access-group Fierwall-ACL in (which means ISP Traffic flow towards the routers interface dialer) there is a possibility of network distruption as looking into your access-list. also a point to make the inbound "ip access-group Fierwall-ACL in" is less cpu intensive compare to ip access-group Fierwall-ACL out.
Ideally, if you want to block the access you should apply the ACL-Inbound at SW-->Router (Router connect to swtich Interface) as inbound.
if you runing a enterprise image on the router you can use the IOS-Firewall functionality.
for example If i want to deny RFC 1918 on dialer Interface as inbound my command would be.
ip access-list extended Firewall-ACL description DENY RFC 1918
deny ip 10.0.0.0 0.255.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.0.15.255 any permit ip any any
!
interface Dialer0
ip access-group Fierwall-ACL in
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide