06-20-2012 11:31 AM - edited 03-04-2019 04:44 PM
i have a 2921 with a serial and an ethernet. i created an access list allowing http and SMTP from any source to destination [my /24 subnet that lives on the ethernet side of the router]. i applied the ACL *IN* to the serial interface.
i thought that the whole IN/OUT thing meant that if i applied it IN on the serial, it would only affect traffic coming "in" from the internet, and that traffic coming across the router from the ethernet side would be considered "out" and not be affected by the ACL. but this was not the case. servers on the ethernet side of the router could no longer talk "out" to internet SMTP or web servers, i assume because of the my acl has a specific destination network and an implied deny any any at the end.
is this expected? if an "IN" access-list also affects "out" traffic, what's the point of the direction modifier?
06-20-2012 12:33 PM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
"in" would be for traffic ingressing the interface. From what you describe, are you sure you're not unintentionally blocking some inbound traffic?
06-20-2012 01:35 PM
my intent is to block all traffic from the internet except http and smtp on the serial interface.
let's say serial interface is 7.7.7.1, and ethernet interface is 6.6.6.1, web server is 6.6.6.100
ip access-list extended ALLOW
10 permit tcp any 6.6.6.0 255.255.255.0 eq smtp
20 permit tcp any 6.6.6.0 255.255.255.0 eq http
int s0/0
ip access-group ALLOW in
there is no access list on the ethernet interface.
my thought was that this would block everything except smtp and http inbound from the internet, but have zero effect on outbound traffic. but what happens is that web server 6.6.6.100 can't browse the internet anymore. as soon as i take the access-list off the interface, web server 6.6.6.100 can browse the internet again.
06-20-2012 01:43 PM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
"but what happens is that web server 6.6.6.100 can't browse the internet" - is that correct? I.e. you didn't mean the web server cannot be browsed from the Internet? If you meant the former, your ACL will block browsing (to) the Internet, as the return traffic would not have a destination port of 80.
Try adding:
30 permit tcp any eq http 6.6.6.0 255.255.255.0
PS:
You might also allow (additional) any inbound TCP that's part of an active conservation or use reflective ACLs.
06-20-2012 01:59 PM
ahh. thank you Joseph. i did mean the former. so it's the return traffic. so the way i have my access list set up, the i can't open up IE on my web server and browse to yahoo.com because my web server can't do DNS lookups against internet DNS servers because udp 53 is not allowed inbound, and can't telnet to yahoo.com on tcp 80 because the return traffic is not on tcp 80?
just curious, what is the difference between my
20 permit tcp any 6.6.6.0 255.255.255.0 eq http
and your
30 permit tcp any eq http 6.6.6.0 255.255.255.0
i guess a reflective ACL is the only way to go if i want to specifically block certain traffic from sessions started on the serial side of the router, but allow everything in and out from sessions generated from the ethernet side of the router?
06-20-2012 03:46 PM
As this router is connected to the internet, you really should configure statefull packet inspection. For that you need at least the security-license. If you have that, you have two choices for firewalling on the router: The legacy CBAC ("ip inspect ...") and the zone-based firewall. In your setup I would still go for CBAC, as that is much easier to configure.
Karsten
06-20-2012 04:36 PM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
ahh. thank you Joseph. i did mean the former. so it's the return traffic. so the way i have my access list set up, the i can't open up IE on my web server and browse to yahoo.com because my web server can't do DNS lookups against internet DNS servers because udp 53 is not allowed inbound, and can't telnet to yahoo.com on tcp 80 because the return traffic is not on tcp 80?
Yup, exactly -- and yes there's DNS to consider too.
just curious, what is the difference between my20 permit tcp any 6.6.6.0 255.255.255.0 eq http
and your
30 permit tcp any eq http 6.6.6.0 255.255.255.0
Source port vs. destination port. Normally, you contact a web server with a locally assigned source port and a destination port of 80. The reply packet will flip these, in that the web server's source port will be 80 and the destination port your original outbound source port.
i guess a reflective ACL is the only way to go if i want to specifically block certain traffic from sessions started on the serial side of the router, but allow everything in and out from sessions generated from the ethernet side of the router?
Reflective will work well for "replies" that mirror the outbound traffic. Not all apps work this way.
For TCP, you might also just accept packets with the established bit. You might want to read:
06-20-2012 04:37 PM
hi curtmcgirt
also remember that an acl to the out needs to be applied to the wan interface with a ip nat outside, if you are using ip nat, and also an ip route needs to be configure in order to tell your traffic where to go to.
I hope this helps you out.
best regards,
Willy
06-21-2012 04:28 AM
I think your acl is not correct
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide