09-18-2004 07:41 PM - edited 02-20-2020 09:25 PM
I am just finishing my CCNA4 semester trying to do the best I can on our final class project, but I am having problems understanding one simple fact about ACL's...
Ok so to start I want to prevent anything but HTTP (80) traffic into my network, so I can make an extended ACL along the lines of "access-list 101 permit ip any host 172.1.1.1 eq 80" then "access-list 101 deny ip any any" right? This allows port 80 traffic to the http server and prevents all other inbound traffic. Now the part I don't seem to be understanding is any other traffic that originated from within my network will get quashed on it's return to the router wouldn't it?
Solved! Go to Solution.
09-19-2004 12:17 AM
Hi,
Extended access-lists are not stateful.
A stateful filter will record details of connections passing through it, and record them into a state table. Traffic that comes back through the router will be checked against the state table and only allowed back to the source if it has a match.
Reflexive lists are stateful and also CBAC is stateful, you can use them for filtering TCP and UDP connections.
In your scenario, you are correct in your statement regarding the established keyword, you will need to use it to permit returning TCP traffic
If you require more flexibility than this, have a look at reflexive access-lists, they're not that difficult to configure, the following link should pretty much explain all your questions
HTH
Paddy
09-18-2004 11:41 PM
That is correct.
Once you have appplied access-list 101 to your external interface, traffic that is sourced from your internal LAN will pass through your router to its destination. On the return path from the destination to your source, the traffic will hit your external interface and thus your access list.
Unless the traffic specifically matches your access-list it will be denied.
HTH
Paddy
09-18-2004 11:42 PM
You are correct. Simple router ACLs are not stateful, in which case they will NOT keep track of exiting trafic that needs to be allowed back, hence they are droped.
One way to overcome this is by using the word "established" in your acl. This will match packets based on the ACK or FIN flag set for TCP.
Other methods such as "CBAC" or "Reflexive acl" could be used on specific applications to over come such limitation.
09-19-2004 12:00 AM
Ok so the information provided so far is heading at my answer, even part of it for that matter so thank you.
To clarify though, you said that Simple router ACLs are not stateful, so does that mean that Extended ACLs are? Because if I am understanding everything thus far unless I use the established tag any returning traffic will be disposed off like so much other trash in the bit bucket right? And for that matter if the established tag is for TCP will it cause an error is my Extended ACL is listed for IP in general?
Mike
(Thanks again for the replies, I know some day this stuff will be trivial to me, but I want to completely understand it, not just know it...)
09-19-2004 12:17 AM
Hi,
Extended access-lists are not stateful.
A stateful filter will record details of connections passing through it, and record them into a state table. Traffic that comes back through the router will be checked against the state table and only allowed back to the source if it has a match.
Reflexive lists are stateful and also CBAC is stateful, you can use them for filtering TCP and UDP connections.
In your scenario, you are correct in your statement regarding the established keyword, you will need to use it to permit returning TCP traffic
If you require more flexibility than this, have a look at reflexive access-lists, they're not that difficult to configure, the following link should pretty much explain all your questions
HTH
Paddy
09-19-2004 12:21 AM
Good to go, thanks! (Looks as I got some reading/playing to do with reflexive lists ;) )
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide