10-02-2010 04:59 PM - edited 03-04-2019 09:58 AM
Quick Scenario:
Let's say I have a router with two interfaces, external (Internet facing) and internal (LAN facing) and I have a single access list applied to the external interface.
This is the access list:
Access-list 110 deny any any
This access list is applied to the external interface as follows:
Interface serial0
IP access-group 110 in
My questions are:
appreciate your response
Regards
Sherwin
10-02-2010 05:20 PM
Let's assume this is an IOS router.
Let's also assume the following topology.
Let's also assume that the syntax used on ACL 110 is 'access-list 110 deny ip any any'
In this case the LAN host would send an ICMP echo. *If* the echo gets to the internet host and isn't block along the path *and* the internet host sends a echo-reply that isn't blocked on the path back *then* ACL 110 would certainly kill the packet as it matches the deny action.
You could modify the ACL in this manner to allow the reply; but it would not be stateful and would allow all ICMP echo-reply:
access-list 110 permit icmp any any echo-reply
access-list 110 deny ip any any
By default routers are not stateful and will not be aware of what flows are initiated from a trusted interface.
If you'd like your router to be stateful and allow return traffic the firewall feature set is available. If you don't have the firewall feature set I believe most feature sets support 'reflexive access-lists'. This isn't as secure as stateful inspection but does account for return traffic.
Chris
10-02-2010 05:56 PM
Thanks for the reply Chris,
Please bear with me just another quick one:
You said that routers are not stateful by default and assuming that is the case in this scenario, would the behavior be the same if that same user were to send an internet request to a web server? i.e. would the return traffic be blocked by the same access list?
And finally, if the router become stateful (by inserting appropriate ip inspect commands) would the router now allow the return traffic inspite of the access-list?
Sherwin
10-02-2010 10:12 PM
>You said that routers are not stateful by default and assuming that is the case in this scenario, would the behavior be the same if that same user were to
> send an internet request to a web server? i.e. would the return traffic be blocked by the same access list?
Yes, the behavior is the same.
> And finally, if the router become stateful (by inserting appropriate ip inspect commands) would the router now allow the return traffic inspite of the
> access-list?
Yes, the router will allow traffic regardless of "static" access-list.
Regards,
Jernej
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide