Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2069
Views
0
Helpful
6
Replies

Simple ACL question

vinodbharwani
Level 1
Level 1

‎03-21-2008 09:11 AM - edited ‎03-03-2019 09:13 PM

Hi Friend

my question is ACL working in unidirection or bidirection ? if it working in unidirection , how return traffic is allowed ?

if it is unidirection and if i using TCP as protocol how ACK signal allowed ?

-V

Labels:
0 Helpful
6 Replies 6

meballard
Level 1
Level 1

‎03-21-2008 09:30 AM

ACLs operate in one direction only, based on the command you use to apply it to an interface (ip access-group ACLName/Number in/out), where in refers to requests coming to that interface from devices on the same subnet that the interface is on, and out refers to packets that interface sends out to it's subnet.

If you only setup an ACL in only one direction, then all traffic is automatically allowed in the other direction. If you setup an ACL in both direction, then you have to take into account the traffic in both directions (this is very different from a firewall). ACLs don't have any inherent way to track the state of connections, which is what firewalls do (although there are some ways of setting up dynamic ACLs, although I have never done them).

The easiest to to do this for TCP connections is the established keyboard on the ACL for the return direction, which checks part of the TCP header to see if the packets is set as being an established connection, and processes the packets based on that (although there it can be spoofed, but it dramatically simplifies the ACL for the return direction).

Note that UDP and I believe most other protocols do not have the established concept, so they have to be managed manually.

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎03-21-2008 10:10 AM

Applied ACLs normally examine traffic flowing in one single direction, but they can look at bidirectional attributes, e.g. source and destination. An extended ACL, such as:

access-list 105 permit tcp any any ack

would permit TCP packets containing the ACK flag.

I suspect, however, you might have in mind how you allow TCP traffic that's in response to outbound traffic. If so, one common method is an ACL that examines return traffic and permits TCP packets with the established flag, e.g.

access-list 105 permit tcp any any established

0 Helpful

vinodbharwani
Level 1
Level 1

‎03-21-2008 12:44 PM

Hi Joseph

That means , when person is using TCP extended access by default person have to add "tcp any any" in access list at the end of ACL.

-V

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to vinodbharwani

‎03-21-2008 05:23 PM

Depends what you're trying to accomplish. Since all ACLs have an implicit deny all at the end, it's up to you to determine whether you'll need a "tcp any any", permit or deny.

0 Helpful

lamav
Level 8
Level 8
In response to Joseph W. Doherty

‎03-21-2008 06:46 PM

Vino:

It sounds like you're looking at an ACL config on a router that is only filtering traffic in one direction and leaving you to wonder how the return traffic is allowed in.

Besides what has been pointed out so far, there is such a thing as a stateful access list, like the access lists you configure on a router running a firewall feature set, or perhaps a firewall.

In those cases, TCP traffic generated on the inside of the network -- the trusted side -- and heading out to the untrusted side, has its return traffic automatically allowed back in. This is called being stateful. A temporary/virtual ACL is created for the return traffic by the IOS to allow the traffic back in.

Just a little extra something to think about.

Victor

0 Helpful

vinodbharwani
Level 1
Level 1
In response to lamav

‎03-22-2008 03:31 AM

Hi Victor

that mean in firewall case return traffic automatically allowed because it is stateful firewall

while in ACL router's case, i need to implement return traffic's ACL in my router

Please correct me if i am wrong

-V

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card