cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
226
Views
8
Helpful
5
Replies
Highlighted
Beginner

Router Interpritation of in/outbound ACL confusion...

I am just finishing my CCNA4 semester trying to do the best I can on our final class project, but I am having problems understanding one simple fact about ACL's...

Ok so to start I want to prevent anything but HTTP (80) traffic into my network, so I can make an extended ACL along the lines of "access-list 101 permit ip any host 172.1.1.1 eq 80" then "access-list 101 deny ip any any" right? This allows port 80 traffic to the http server and prevents all other inbound traffic. Now the part I don't seem to be understanding is any other traffic that originated from within my network will get quashed on it's return to the router wouldn't it?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Frequent Contributor

Re: Router Interpritation of in/outbound ACL confusion...

Hi,

Extended access-lists are not stateful.

A stateful filter will record details of connections passing through it, and record them into a state table. Traffic that comes back through the router will be checked against the state table and only allowed back to the source if it has a match.

Reflexive lists are stateful and also CBAC is stateful, you can use them for filtering TCP and UDP connections.

In your scenario, you are correct in your statement regarding the established keyword, you will need to use it to permit returning TCP traffic

If you require more flexibility than this, have a look at reflexive access-lists, they're not that difficult to configure, the following link should pretty much explain all your questions

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c3.html#1000942

HTH

Paddy

View solution in original post

5 REPLIES 5
Highlighted
Frequent Contributor

Re: Router Interpritation of in/outbound ACL confusion...

That is correct.

Once you have appplied access-list 101 to your external interface, traffic that is sourced from your internal LAN will pass through your router to its destination. On the return path from the destination to your source, the traffic will hit your external interface and thus your access list.

Unless the traffic specifically matches your access-list it will be denied.

HTH

Paddy

Highlighted
Beginner

Re: Router Interpritation of in/outbound ACL confusion...

You are correct. Simple router ACLs are not stateful, in which case they will NOT keep track of exiting trafic that needs to be allowed back, hence they are droped.

One way to overcome this is by using the word "established" in your acl. This will match packets based on the ACK or FIN flag set for TCP.

Other methods such as "CBAC" or "Reflexive acl" could be used on specific applications to over come such limitation.

Highlighted
Beginner

Re: Router Interpritation of in/outbound ACL confusion...

Ok so the information provided so far is heading at my answer, even part of it for that matter so thank you.

To clarify though, you said that Simple router ACLs are not stateful, so does that mean that Extended ACLs are? Because if I am understanding everything thus far unless I use the established tag any returning traffic will be disposed off like so much other trash in the bit bucket right? And for that matter if the established tag is for TCP will it cause an error is my Extended ACL is listed for IP in general?

Mike

(Thanks again for the replies, I know some day this stuff will be trivial to me, but I want to completely understand it, not just know it...)

Highlighted
Frequent Contributor

Re: Router Interpritation of in/outbound ACL confusion...

Hi,

Extended access-lists are not stateful.

A stateful filter will record details of connections passing through it, and record them into a state table. Traffic that comes back through the router will be checked against the state table and only allowed back to the source if it has a match.

Reflexive lists are stateful and also CBAC is stateful, you can use them for filtering TCP and UDP connections.

In your scenario, you are correct in your statement regarding the established keyword, you will need to use it to permit returning TCP traffic

If you require more flexibility than this, have a look at reflexive access-lists, they're not that difficult to configure, the following link should pretty much explain all your questions

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c3.html#1000942

HTH

Paddy

View solution in original post

Highlighted
Beginner

Re: Router Interpritation of in/outbound ACL confusion...

Good to go, thanks! (Looks as I got some reading/playing to do with reflexive lists ;) )

Mike