cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1299
Views
0
Helpful
8
Replies

Access list Direction

curtmcgirt
Level 1
Level 1

i have a 2921 with a serial and an ethernet. i created an access list allowing http and SMTP from any source to destination [my /24 subnet that lives on the ethernet side of the router]. i applied the ACL *IN* to the serial interface.

i thought that the whole IN/OUT thing meant that if i applied it IN on the serial, it would only affect traffic coming "in" from the internet, and that traffic coming across the router from the ethernet side would be considered "out" and not be affected by the ACL. but this was not the case. servers on the ethernet side of the router could no longer talk "out" to internet SMTP or web servers, i assume because of the my acl has a specific destination network and an implied deny any any at the end.

is this expected? if an "IN" access-list also affects "out" traffic, what's the point of the direction modifier?

8 Replies 8

Joseph W. Doherty
Hall of Fame
Hall of Fame

Disclaimer

The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting

"in" would be for traffic ingressing the interface.  From what you describe, are you sure you're not unintentionally blocking some inbound traffic?

my intent is to block all traffic from the internet except http and smtp on the serial interface.

let's say serial interface is 7.7.7.1, and ethernet interface is 6.6.6.1, web server is 6.6.6.100

ip access-list extended ALLOW

10 permit tcp any 6.6.6.0 255.255.255.0 eq smtp

20 permit tcp any 6.6.6.0 255.255.255.0 eq http

int s0/0

ip access-group ALLOW in

there is no access list on the ethernet interface.

my thought was that this would block everything except smtp and http inbound from the internet, but have zero effect on  outbound traffic. but what happens is that web server 6.6.6.100 can't browse the internet anymore. as soon as i take the access-list off the interface, web server 6.6.6.100 can browse the internet again.

Disclaimer

The    Author of this posting offers the information contained within this    posting without consideration and with the reader's understanding that    there's no implied or expressed suitability or fitness for any  purpose.   Information provided is for informational purposes only and  should not   be construed as rendering professional advice of any kind.  Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In    no event shall Author be liable for any damages whatsoever  (including,   without limitation, damages for loss of use, data or  profit) arising  out  of the use or inability to use the posting's  information even if  Author  has been advised of the possibility of such  damage.

Posting

"but what happens is that web server 6.6.6.100 can't browse the internet" - is that correct?  I.e. you didn't mean the web server cannot be browsed from the Internet?  If you meant the former, your ACL will block browsing (to) the Internet, as the return traffic would not have a destination port of 80.

Try adding:

30 permit tcp any eq http 6.6.6.0 255.255.255.0

PS:

You might also allow (additional) any inbound TCP that's part of an active conservation or use reflective ACLs.

ahh. thank you Joseph. i did mean the former. so it's the return traffic. so the way i have my access list set up, the i can't open up IE on my web server and browse to yahoo.com because my web server can't do DNS lookups against internet DNS servers because udp 53 is not allowed inbound, and can't telnet to yahoo.com on tcp 80 because the return traffic is not on tcp 80?

just curious, what is the difference between my

20 permit tcp any 6.6.6.0 255.255.255.0 eq http

and your

30 permit tcp any eq http 6.6.6.0 255.255.255.0

i guess a reflective ACL is the only way to go if i want to specifically block certain traffic from sessions started on the serial side of the router, but allow everything in and out from sessions generated from the ethernet side of the router?

As this router is connected to the internet, you really should configure statefull packet inspection. For that you need at least the security-license. If you have that, you have two choices for firewalling on the router: The legacy CBAC ("ip inspect ...") and the zone-based firewall. In your setup I would still go for CBAC, as that is much easier to configure.

Karsten

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

ahh. thank you Joseph. i did mean the former. so it's the return traffic. so the way i have my access list set up, the i can't open up IE on my web server and browse to yahoo.com because my web server can't do DNS lookups against internet DNS servers because udp 53 is not allowed inbound, and can't telnet to yahoo.com on tcp 80 because the return traffic is not on tcp 80?

Yup, exactly -- and yes there's DNS to consider too.

just curious, what is the difference between my

20 permit tcp any 6.6.6.0 255.255.255.0 eq http

and your

30 permit tcp any eq http 6.6.6.0 255.255.255.0

Source port vs. destination port.  Normally, you contact a web server with a locally assigned source port and a destination port of 80.  The reply packet will flip these, in that the web server's source port will be 80 and the destination port your original outbound source port.


i guess a reflective ACL is the only way to go if i want to specifically block certain traffic from sessions started on the serial side of the router, but allow everything in and out from sessions generated from the ethernet side of the router?

Reflective will work well for "replies" that mirror the outbound traffic.  Not all apps work this way.

For TCP, you might also just accept packets with the established bit.  You might want to read:

http://www.ciscoarticles.com/CCSP-Cisco-Certified-Security-Professional/TCP-s-Established-Option.html

willymaldonado1
Level 1
Level 1

hi curtmcgirt

     also remember that an acl to the out needs to be applied to the wan interface with a ip nat outside, if you are using ip nat, and also an ip route needs to be configure in order to tell your traffic where to go to.

I hope this helps you out.

best regards,

Willy

dungthieu
Level 1
Level 1

I think your acl is not correct

Sent from Cisco Technical Support iPhone App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: