Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1857
Views
5
Helpful
1
Replies

ACL and dailer

Go to solution
b2kzone-beniamin
Level 1
Level 1

‎02-17-2021 11:41 AM

Hello, 

I come back to you with a question that pop-up in my mind when I review the conf of my router and still confused me a lot.

 

First let me illustrated the picture of my network

hots --> sw --> router (on the router I have a pppoe connection, using dialer) --> ISP

 

On the router the interface that is connected to ISP is f0/0 (where is also the Dialer enable) under the Dialer config I set the ACL named Fierwall-ACL that is set with the command "ip access-group Fierwall-ACL out" and the ACL roules are:

ip access-list extended Firewall-ACL
deny tcp any any eq echo
deny tcp any any eq discard
deny tcp any any eq daytime
deny tcp any any eq chargen
deny tcp any any eq telnet
deny tcp any any eq finger
deny tcp any any eq 3389
deny tcp any any eq 161
deny tcp any any eq 37
deny tcp any any eq 69
deny tcp any any eq ftp-data
deny tcp any any eq ftp
deny ip 224.0.0.0 31.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.0.255.255 any
permit ip any any

 

The ACL command on the Dailer "ip access-group Fierwall-ACL out" is set out, after my logic and CCNA course about ACL normally I set  "in" from inboud, because the trafic from outside (from ISP / Internet ) that come in my network is trafic from out to in  and the  rules  from "Firewall-ACL" I want to block ports, ips, and other to access my network from outside.

 

The question why in the config is "ip access-group Fierwall-ACL out" instead of "ip access-group Fierwall-ACL in" ?

 

When I used "ip access-group Fierwall-ACL in" I don't have trffic or acces to net

 

Hope I explained my problem ok to be understand 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sheraz.Salim
VIP Alumni
VIP Alumni

‎02-18-2021 12:07 AM - edited ‎02-18-2021 12:14 AM

ip access-group Fierwall-ACL out vs ip access-group Fierwall-ACL in

The difference in applying an ACL in or out is pretty easy. When you apply an ACL "in", the router examines all traffic it RECEIVES on the interface against the ACL.
When you apply an ACL "out" on an interface the router examines any traffic attempting to leave that interface against the ACL.

as you connected to interface FastEthernet0 (Dialer). ANd also that you are NATing (Overloaded) on this router?

 

 

 

so your interface F0/0 Dialer is enable.   network is like host--->SW--->Router---ISP

 

now keep focus at Router----ISP link. let say if i apply the access-list Firewall-ACL to the interface of router dialer as towards the inbound ip access-group Fierwall-ACL in (which means ISP Traffic flow towards the routers interface dialer) there is a possibility of network distruption as looking into your access-list. also a point to make the inbound "ip access-group Fierwall-ACL in" is less cpu intensive compare to ip access-group Fierwall-ACL out.

 

Ideally, if you want to block the access you should apply the ACL-Inbound at SW-->Router (Router connect to swtich Interface) as inbound.

 

if you runing a enterprise image on the router you can use the IOS-Firewall functionality.

 

 

for example If i want to deny RFC 1918 on dialer Interface as inbound my command would be.

 

 

 

ip access-list extended Firewall-ACL
description DENY RFC 1918
 deny ip 10.0.0.0 0.255.255.255 any
 deny ip 192.168.0.0 0.0.255.255 any
 deny ip 172.16.0.0 0.0.15.255 any
 permit ip any any
!
interface Dialer0
ip access-group Fierwall-ACL in

 

 

 

please do not forget to rate.

View solution in original post

1 Reply 1

Go to solution
Sheraz.Salim
VIP Alumni
VIP Alumni

‎02-18-2021 12:07 AM - edited ‎02-18-2021 12:14 AM

ip access-group Fierwall-ACL out vs ip access-group Fierwall-ACL in

The difference in applying an ACL in or out is pretty easy. When you apply an ACL "in", the router examines all traffic it RECEIVES on the interface against the ACL.
When you apply an ACL "out" on an interface the router examines any traffic attempting to leave that interface against the ACL.

as you connected to interface FastEthernet0 (Dialer). ANd also that you are NATing (Overloaded) on this router?

 

 

 

so your interface F0/0 Dialer is enable.   network is like host--->SW--->Router---ISP

 

now keep focus at Router----ISP link. let say if i apply the access-list Firewall-ACL to the interface of router dialer as towards the inbound ip access-group Fierwall-ACL in (which means ISP Traffic flow towards the routers interface dialer) there is a possibility of network distruption as looking into your access-list. also a point to make the inbound "ip access-group Fierwall-ACL in" is less cpu intensive compare to ip access-group Fierwall-ACL out.

 

Ideally, if you want to block the access you should apply the ACL-Inbound at SW-->Router (Router connect to swtich Interface) as inbound.

 

if you runing a enterprise image on the router you can use the IOS-Firewall functionality.

 

 

for example If i want to deny RFC 1918 on dialer Interface as inbound my command would be.

 

 

 

ip access-list extended Firewall-ACL
description DENY RFC 1918
 deny ip 10.0.0.0 0.255.255.255 any
 deny ip 192.168.0.0 0.0.255.255 any
 deny ip 172.16.0.0 0.0.15.255 any
 permit ip any any
!
interface Dialer0
ip access-group Fierwall-ACL in

 

 

 

please do not forget to rate.
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card