cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14605
Views
20
Helpful
11
Replies
Highlighted
Beginner

Allowing return traffic through ACL

Hello to you.

I have PC connected to back of router. I have internet connected to front of router. I can browse the internet from PC but I don't understand why.

I have very restrictive inbound access list on the router interface connected to the internet. I have no statement to allow returning web browsing traffic to the PC.

Please help me to understand

SS

11 REPLIES 11
Highlighted
Beginner

The ACL contains rules that are applied only on the interface where you'll apply it. And on the interface, the ACL will filter depending on the direction inboud (to the interface) / outbound (from the interface).

If there is no ACL specified on the interface, there will be no filtering.

Highlighted
Hall of Fame Guru

SS

We do not have enough information here to be able to determine what is going on and so to help you. If you would post the content of the access list and the interface configuration then we might be able to provide explanation.

HTH

Rick

Sent from Cisco Technical Support iPad App

HTH

Rick
Highlighted
Rising star

Hi,

I guess your question is even though you have applied the ACL in outside interface of router for blocking web traffic but it was going through for the internet access from your PC which is inside of the router????

If that is your question... then my answer here is .... if your devices supports stateful inspection then it will get allowed....

if that is the another case then if you blocked the port 80 in the outside interface then it will not block... Because when you access any web page/internet.... you traffic will be like this for eg: your PC IP is 1.1.1.1 trying to access 2.2.2.2 on 80 port.... then you source IP&port is 1.1.1.1 : (1024-65535) & destination IP is 2.2.2.2(80). So your response from 2.2.2.2 will have the source ip and port as (2.2.2.2:80) but the destination IP and port will be 1.1.1.1:( 1024-65535). So this will not block. If you block tcp (1024-65535) in the outside interface in direction will make your traffic blcoked.

Please do rate if the given information helps.

By

Karthik

Highlighted
Beginner

Let me to rephrase. I was attempting to give an example to help illustrate my question. My real problem is theory.

I no understand how return traffic can pass through access list if there is no statements to allow it.

Use web traffic as example. PC with source IP 1.1.1.1 and source port 1100 browses to destination IP 2.2.2.2 and destination port 80. How does the return traffic pass through the access list if there is no statement permit traffic to 1.1.1.1 with port 1100

Thanks to you

SS

Highlighted

The short answer is it doesn't if you have not allowed it in the access-list but it is more complicated than that. Let says you have -

PC1 ->  (fa0/0) R1 (fa0/1) -> internet

on R1 (which is a router) you have applied an acl in the inbound direction to interface fa0/0 allowing your PC access to 2.2.2.2. When PC1 sends the packet it is checked against the acl and if it is allowed (which it is) then the packet is sent on to 2.2.2.2.

When the return packet is sent back to PC1 it is allowed because the packet is not checked against the inbound acl. The inbound acl only checks traffic that is coming into fa0/0 ie. from PC1. The return traffic is not inbound to fa0/0 but is inbound to fa0/1 and outbound on fa0/0.  If you applied an acl inbound on fa0/1 or outbound on fa0/0 then you would indeed need to then permit the return traffic in that acl.

Jon

Highlighted

Using your example. If i did apply ACL to fa0/1, and i would because it connected to internet, want entry would i use to allow return traffic? Since source port is random I don't understand how this work?

Thanks

SS

Highlighted

For that specific webserver on the internet -

access-list 101 permit tcp host 2.2.2.2 eq 80 host 1.1.1.1

this however is the main issue with using regular network acls to restrict internet access. If for example you wanted to only allow http browsing from the inside and you then wanted to apply an acl on fa0/1 to protect your internal network it becomes difficult because you then need something like -

access-list 101 permit tcp any eq 80  

which means allow any web server on the internet to send traffic to your LAN. This is where firewalls come in handy, either CBAC or ZBFW which can be run on a router or a stateful firewall such as the ASA. For example an ASA would -

PC1 -> (gi0) ASA (gi1) -> internet

by default the gi1 interface (the outside interface) will allow no traffic from the outside ie. the internet to your LAN. So your LAN is protected. However if the traffic is originated from the inside then the return traffic is automatically allowed back in. So if PC1 connects to 2.2.2.2 then the return traffic is allowed back. But if 2.2.2.2 sent traffic to PC1 without PC1 having first sent traffic it would be blocked.

You can do the same sort of thing with CBAC or ZBFW.  Without a firewall you need to either -

1) use a lot of acl entries eg. you could have an entry per web server but that is very tedious

or

2) have a very open access-list such as the example i gave

A sort of halfway house are reflexive acls which also allow traffic to be automatically allowed back in but they do not have the added intelligence that stateful firewalls have.

Jon

Highlighted

Hi,

I no understand how return traffic can pass through access list if there is no statements to allow it.

Router will have a default function like a firewall. If no ACL applied to the interface it will allow the traffic by default. Whereas firewall will allow/deny based on the security-level which traffic passing in by default eventhough you don have any ACL pointed to the interface.

rather you can specify the ACL in outside(Internet connectimng) interface like the below.

access-list 101 deny tcp any eq 80 1.1.1.1 255.255.255.255

so any webtraffic towards / sourced from 1.1.1.1 will get blocked in the outside interface.

Please do rate if the given information helps.

By

Karthik

Highlighted

As a theoretical question this is simple to answer: if an access list is applied to examine traffic on an interface and has no statement to permit a certain traffic then that traffic will not pass through the interface but will be dropped.

When you start to deal with examples and practical implementations then it starts to get complicated. You need to consider the effects of which interface it is applied on relative to where is the source and where is the destination, and to consider whether the access list is applied inbound or outbound. You also need to consider the possibility that the traffic may be permitted though there is no specific reference to source network or destination network (perhaps something like permit tcp any any established).

And it gets much more complicated if you get beyond simple access lists on interfaces and start to get involved with things where the router may be doing stateful inspection (perhaps things including ZBF, or inspection of traffic) because these things may generate permits for traffic that you do not specifically configure in access lists.

So in theory it is simple and has a simple answer. In practice it may become quite complicated.

HTH

Rick

HTH

Rick
Highlighted

Ah maybe permit tcp any any established is the answer i look for?

Sorry to still be confused

Maybe answer to this scenario will clear it for me. Sorry for add firewall into mix but this is my actual setup.

PC/1.1.1.2 ---> (fa0/0) Firewall (fa0/1) ---> (fa0/0) Perimeter Router (fa0/1) ---> internet web server/2.2.2.2

The only access list is inbound on perimter router on fa0/1. The access list only permit ftp inbound to single ftp server on my network from any source

The router only uses ACL. No firewall features.

All IP's are public, no nat involved.

Firewall is configured to allow return traffic

Question is will return traffic be permitted from web server to PC? If no will the permit tcp any any established permit traffic?

Highlighted

Hi,

yes the established keyword will  let pass from out to in the tcp packets that have the ACK or RST flags.

So the return packets form a webserver on the internet to inside connections  are in this case  and they will be permited.

But security wise this is very weak because it is easy to spoof these flags.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
Content for Community-Ad