The short answer is it doesn't if you have not allowed it in the access-list but it is more complicated than that. Let says you have -

PC1 ->  (fa0/0) R1 (fa0/1) -> internet

on R1 (which is a router) you have applied an acl in the inbound direction to interface fa0/0 allowing your PC access to 2.2.2.2. When PC1 sends the packet it is checked against the acl and if it is allowed (which it is) then the packet is sent on to 2.2.2.2.

When the return packet is sent back to PC1 it is allowed because the packet is not checked against the inbound acl. The inbound acl only checks traffic that is coming into fa0/0 ie. from PC1. The return traffic is not inbound to fa0/0 but is inbound to fa0/1 and outbound on fa0/0.  If you applied an acl inbound on fa0/1 or outbound on fa0/0 then you would indeed need to then permit the return traffic in that acl.

Jon

Using your example. If i did apply ACL to fa0/1, and i would because it connected to internet, want entry would i use to allow return traffic? Since source port is random I don't understand how this work?

Thanks

SS

For that specific webserver on the internet -

access-list 101 permit tcp host 2.2.2.2 eq 80 host 1.1.1.1

this however is the main issue with using regular network acls to restrict internet access. If for example you wanted to only allow http browsing from the inside and you then wanted to apply an acl on fa0/1 to protect your internal network it becomes difficult because you then need something like -

access-list 101 permit tcp any eq 80  

which means allow any web server on the internet to send traffic to your LAN. This is where firewalls come in handy, either CBAC or ZBFW which can be run on a router or a stateful firewall such as the ASA. For example an ASA would -

PC1 -> (gi0) ASA (gi1) -> internet

by default the gi1 interface (the outside interface) will allow no traffic from the outside ie. the internet to your LAN. So your LAN is protected. However if the traffic is originated from the inside then the return traffic is automatically allowed back in. So if PC1 connects to 2.2.2.2 then the return traffic is allowed back. But if 2.2.2.2 sent traffic to PC1 without PC1 having first sent traffic it would be blocked.

You can do the same sort of thing with CBAC or ZBFW.  Without a firewall you need to either -

1) use a lot of acl entries eg. you could have an entry per web server but that is very tedious

or

2) have a very open access-list such as the example i gave

A sort of halfway house are reflexive acls which also allow traffic to be automatically allowed back in but they do not have the added intelligence that stateful firewalls have.

Jon

Hi,

I no understand how return traffic can pass through access list if there is no statements to allow it.

Router will have a default function like a firewall. If no ACL applied to the interface it will allow the traffic by default. Whereas firewall will allow/deny based on the security-level which traffic passing in by default eventhough you don have any ACL pointed to the interface.

rather you can specify the ACL in outside(Internet connectimng) interface like the below.

access-list 101 deny tcp any eq 80 1.1.1.1 255.255.255.255

so any webtraffic towards / sourced from 1.1.1.1 will get blocked in the outside interface.

Please do rate if the given information helps.

By

Karthik

As a theoretical question this is simple to answer: if an access list is applied to examine traffic on an interface and has no statement to permit a certain traffic then that traffic will not pass through the interface but will be dropped.

When you start to deal with examples and practical implementations then it starts to get complicated. You need to consider the effects of which interface it is applied on relative to where is the source and where is the destination, and to consider whether the access list is applied inbound or outbound. You also need to consider the possibility that the traffic may be permitted though there is no specific reference to source network or destination network (perhaps something like permit tcp any any established).

And it gets much more complicated if you get beyond simple access lists on interfaces and start to get involved with things where the router may be doing stateful inspection (perhaps things including ZBF, or inspection of traffic) because these things may generate permits for traffic that you do not specifically configure in access lists.

So in theory it is simple and has a simple answer. In practice it may become quite complicated.

HTH

Rick

Ah maybe permit tcp any any established is the answer i look for?

Sorry to still be confused

Maybe answer to this scenario will clear it for me. Sorry for add firewall into mix but this is my actual setup.

PC/1.1.1.2 ---> (fa0/0) Firewall (fa0/1) ---> (fa0/0) Perimeter Router (fa0/1) ---> internet web server/2.2.2.2

The only access list is inbound on perimter router on fa0/1. The access list only permit ftp inbound to single ftp server on my network from any source

The router only uses ACL. No firewall features.

All IP's are public, no nat involved.

Firewall is configured to allow return traffic

Question is will return traffic be permitted from web server to PC? If no will the permit tcp any any established permit traffic?

Hi,

yes the established keyword will  let pass from out to in the tcp packets that have the ACK or RST flags.

So the return packets form a webserver on the internet to inside connections  are in this case  and they will be permited.

But security wise this is very weak because it is easy to spoof these flags.

Regards.

Alain

Don't forget to rate helpful posts.