cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3456
Views
0
Helpful
3
Replies

ACL and ICMP return traffic after pinging an external host

Sherwin Clarke
Level 1
Level 1

Quick Scenario:

Let's say I have a router with two interfaces, external (Internet facing) and internal (LAN facing) and I have a single access list applied to the external interface.

This is the access list:

Access-list 110 deny any any

This access list is applied to the external interface as follows:

Interface serial0

IP access-group 110 in

My questions are:

  1. If a user from the LAN pings an external host on the Internet, would the ICMP return traffic (timeout, echo-reply, destination unreach.. etc.) be allowed to pass through the access list successfully or would it be blocked??  And why?
  2. Do I need to explicity specify what ICMP return traffic to allow before that icmp traffic can pass through?

appreciate your response

Regards

Sherwin

3 Replies 3

gatlin007
Level 4
Level 4

Let's assume this is an IOS router.

Let's also assume the following topology.


Let's also assume that the syntax used on ACL 110 is 'access-list 110 deny ip any any'

In this case the LAN host would send an ICMP echo.  *If* the echo gets to the internet host and isn't block along the path *and* the internet host sends a echo-reply that isn't blocked on the path back *then* ACL 110 would certainly kill the packet as it matches the deny action.

You could modify the ACL in this manner to allow the reply; but it would not be stateful and would allow all ICMP echo-reply:

access-list 110 permit icmp any any echo-reply
access-list 110 deny ip any any

By default routers are not stateful and will not be aware of what flows are initiated from a trusted interface.

If you'd like your router to be stateful and allow return traffic the firewall feature set is available.  If you don't have the firewall feature set I believe most feature sets support 'reflexive access-lists'.  This isn't as secure as stateful inspection but does account for return traffic.


Chris

Thanks for the reply Chris,

Please bear with me just another quick one:

You said that routers are not stateful by default and assuming that is the case in this scenario, would the behavior be the same if that same user were to send an internet request to a web server?  i.e. would the return traffic be blocked by the same access list?

And finally, if the router become stateful (by inserting appropriate ip inspect commands) would the router now allow the return traffic inspite of the access-list?

Sherwin

>You said that routers are not stateful by default and assuming that  is the case in this scenario, would the behavior be the same if that  same user were to

> send an internet request to a web server?  i.e. would  the return traffic be blocked by the same access list?

Yes, the behavior is the same.

> And finally, if the router become stateful (by inserting appropriate ip inspect commands) would the router now allow the return traffic inspite of the

> access-list?

Yes, the router will allow traffic regardless of "static" access-list.

Regards,

Jernej

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: