cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1855
Views
5
Helpful
1
Replies

ACL and dailer

Hello, 

I come back to you with a question that pop-up in my mind when I review the conf of my router and still confused me a lot.

 

First let me illustrated the picture of my network

hots --> sw --> router (on the router I have a pppoe connection, using dialer) --> ISP

 

On the router the interface that is connected to ISP is f0/0 (where is also the Dialer enable) under the Dialer config I set the ACL named Fierwall-ACL that is set with the command "ip access-group Fierwall-ACL out" and the ACL roules are:

ip access-list extended Firewall-ACL
deny tcp any any eq echo
deny tcp any any eq discard
deny tcp any any eq daytime
deny tcp any any eq chargen
deny tcp any any eq telnet
deny tcp any any eq finger
deny tcp any any eq 3389
deny tcp any any eq 161
deny tcp any any eq 37
deny tcp any any eq 69
deny tcp any any eq ftp-data
deny tcp any any eq ftp
deny ip 224.0.0.0 31.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.0.255.255 any
permit ip any any

 

The ACL command on the Dailer "ip access-group Fierwall-ACL out" is set out, after my logic and CCNA course about ACL normally I set  "in" from inboud, because the trafic from outside (from ISP / Internet ) that come in my network is trafic from out to in  and the  rules  from "Firewall-ACL" I want to block ports, ips, and other to access my network from outside.

 

The question why in the config is "ip access-group Fierwall-ACL out" instead of "ip access-group Fierwall-ACL in" ?

 

When I used "ip access-group Fierwall-ACL in" I don't have trffic or acces to net

 

Hope I explained my problem ok to be understand 

1 Accepted Solution

Accepted Solutions

Sheraz.Salim
VIP Alumni
VIP Alumni

ip access-group Fierwall-ACL out vs ip access-group Fierwall-ACL in

The difference in applying an ACL in or out is pretty easy. When you apply an ACL "in", the router examines all traffic it RECEIVES on the interface against the ACL.
When you apply an ACL "out" on an interface the router examines any traffic attempting to leave that interface against the ACL.

as you connected to interface FastEthernet0 (Dialer). ANd also that you are NATing (Overloaded) on this router?

 

 

 

so your interface F0/0 Dialer is enable.   network is like host--->SW--->Router---ISP

 

now keep focus at Router----ISP link. let say if i apply the access-list Firewall-ACL to the interface of router dialer as towards the inbound ip access-group Fierwall-ACL in (which means ISP Traffic flow towards the routers interface dialer) there is a possibility of network distruption as looking into your access-list. also a point to make the inbound "ip access-group Fierwall-ACL in" is less cpu intensive compare to ip access-group Fierwall-ACL out.

 

Ideally, if you want to block the access you should apply the ACL-Inbound at SW-->Router (Router connect to swtich Interface) as inbound.

 

if you runing a enterprise image on the router you can use the IOS-Firewall functionality.

 

 

for example If i want to deny RFC 1918 on dialer Interface as inbound my command would be.

 

 

 

ip access-list extended Firewall-ACL
description DENY RFC 1918
 deny ip 10.0.0.0 0.255.255.255 any
 deny ip 192.168.0.0 0.0.255.255 any
 deny ip 172.16.0.0 0.0.15.255 any permit ip any any
!
interface Dialer0

ip access-group Fierwall-ACL in

 

 

 

please do not forget to rate.

View solution in original post

1 Reply 1

Sheraz.Salim
VIP Alumni
VIP Alumni

ip access-group Fierwall-ACL out vs ip access-group Fierwall-ACL in

The difference in applying an ACL in or out is pretty easy. When you apply an ACL "in", the router examines all traffic it RECEIVES on the interface against the ACL.
When you apply an ACL "out" on an interface the router examines any traffic attempting to leave that interface against the ACL.

as you connected to interface FastEthernet0 (Dialer). ANd also that you are NATing (Overloaded) on this router?

 

 

 

so your interface F0/0 Dialer is enable.   network is like host--->SW--->Router---ISP

 

now keep focus at Router----ISP link. let say if i apply the access-list Firewall-ACL to the interface of router dialer as towards the inbound ip access-group Fierwall-ACL in (which means ISP Traffic flow towards the routers interface dialer) there is a possibility of network distruption as looking into your access-list. also a point to make the inbound "ip access-group Fierwall-ACL in" is less cpu intensive compare to ip access-group Fierwall-ACL out.

 

Ideally, if you want to block the access you should apply the ACL-Inbound at SW-->Router (Router connect to swtich Interface) as inbound.

 

if you runing a enterprise image on the router you can use the IOS-Firewall functionality.

 

 

for example If i want to deny RFC 1918 on dialer Interface as inbound my command would be.

 

 

 

ip access-list extended Firewall-ACL
description DENY RFC 1918
 deny ip 10.0.0.0 0.255.255.255 any
 deny ip 192.168.0.0 0.0.255.255 any
 deny ip 172.16.0.0 0.0.15.255 any permit ip any any
!
interface Dialer0

ip access-group Fierwall-ACL in

 

 

 

please do not forget to rate.
Review Cisco Networking for a $25 gift card