Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
665
Views
5
Helpful
2
Replies

ACL - connections from router itself

james_stickland
Level 1
Level 1

‎10-24-2007 08:41 PM - edited ‎03-05-2019 07:18 PM

Hello, I have the following ACL on a 2500 router using IOS 12.0:

The scenario, basically looks like this

LAN--"outside"-Router-"inside"-internet

(seems a little bit strange as to what the router considers in/out)

ip access-list extended INSIDE-E0

evaluate REFLEXIVE-0

permit tcp any host 10.10.10.2 eq 65534 reflect REFLEXIVE-1

deny ip any any log

ip access-list extended OUTSIDE-E0

deny ip 172.16.16.0 0.0.0.15 any

deny ip 172.16.16.16 0.0.0.15 any

permit tcp host 10.10.10.2 eq 65534 any reflect REFLEXIVE-0

permit tcp host 10.10.10.2 host 209.226.175.83 eq pop3 reflect REFLEXIVE-0

permit tcp host 10.10.10.2 host 209.226.175.63 eq smtp reflect REFLEXIVE-0

permit tcp host 10.10.10.2 any eq www reflect REFLEXIVE-0

permit tcp host 10.10.10.2 any eq 443 reflect REFLEXIVE-0

permit tcp host 10.10.10.3 any eq www reflect REFLEXIVE-0

permit tcp host 10.10.10.3 any eq 443 reflect REFLEXIVE-0

permit udp host 10.10.10.2 host 67.69.184.163 eq domain reflect REFLEXIVE-0

permit udp host 10.10.10.3 host 67.69.184.163 eq domain reflect REFLEXIVE-0

deny ip any any log

If, from the machine, i connect out to a host on the "inside", such as

telnet 10.10.10.6 80

The connection attempt does go out from the router locally, to the machine 10.10.10.6 (proven with packet capture on 10.10.10.6). Any other attempts, from machines on the other side of the interface are blocked. It just seems that connections from the router itself go out unfiltered. Any ideas on how to stop this?

Labels:
0 Helpful
2 Replies 2

Edison Ortiz
Hall of Fame
Hall of Fame

‎10-24-2007 08:53 PM

> It just seems that connections from the router itself go out unfiltered.

You are correct. The router can't police itself and that's a default behavior on outgoing packets.

You can only deny/permit the ingress traffic /when originated from the router/, not the egress traffic.

Richard Burts
Hall of Fame
Hall of Fame
In response to Edison Ortiz

‎10-25-2007 08:03 AM

Actually there is a way to control outbound telnet from the router. You can configure

access-class out

on the vty ports, where is the number of a standard access list. Networks or subnets permitted in the access list can be telnetted to and any network or subnet not permitted can not be telnetted to.

But for other kinds of traffic, such as ping etc, Edison is correct that you can not filter with an access-group on an interface any traffic that is originated by the router itself.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents