Solved: ip access-group IN vs OUT (Wrong Forum previously) - Page 2

t.khan · ‎02-01-2007

I am trying to understand the difference between adding an ACL to an interface with the ip access-group in ip access-group out statement. I have 'in' on one interface, and 'out' on another, and they seem to behave differently. Both of the interfaces end up going out to the internet. A firewall allows the 192.168.3.0/24 range out to the internet. So the 192.168.150.0/24 network gets NAT'd to 192.168.3.100-150 (Overloaded), and the 192.168.3.0/24 interface just keeps the same IP.

See Below:

interface Ethernet1/0

description Lab Network 192.168.150.x

ip address 192.168.150.1 255.255.255.0

ip access-group LAB_ACL in

ip nat inside

full-duplex

ntp disable

<-- cut -->

ip access-list extended LAB_ACL

remark

remark #######################################################

remark

permit ip 192.168.150.0 0.0.0.255 host 4.2.2.1

permit ip 192.168.150.0 0.0.0.255 host 4.2.2.2

permit ip 192.168.150.0 0.0.0.255 65.200.222.0 0.0.0.63

permit ip 192.168.150.0 0.0.0.255 65.200.10.0 0.0.0.255

remark #######################################################

remark

remark Deny all

deny ip any any log

remark #######################################################

*******************

interface FastEthernet0/1

description Corporate NAT Interface

ip address 192.168.3.2 255.255.255.0

ip access-group ACL_allowed out

ip nat outside

speed 100

full-duplex

<-- cut -->

ip access-list extended ACL_allowed

remark

remark #######################################################

remark Deny standard microsoft ports

deny tcp any any eq 135

deny tcp any any eq 137

deny tcp any any eq 138

deny tcp any any eq 139

deny udp any any eq 135

deny udp any any eq netbios-ns

deny udp any any eq netbios-dgm

deny udp any any eq netbios-ss

deny tcp any any eq 445

deny udp any any eq 445

remark

remark #######################################################

remark Permit only traffic with local network

permit ip 192.168.3.0 0.0.0.255 any

remark

remark #######################################################

remark Deny all

deny ip any any log

remark #######################################################

acomiskey · ‎02-02-2007

You're just messing with us now...

Just kidding.

Out would be out of the physical port or onto the wire.

=========================================

Example 1: IN

Host A -------> fa0/1 fa0/xx -------> Host B

int fa0/1

ip access-group 101 in

-in this scenario Host A would be source when you write your acl, host B would be destination.

-acl would inspect traffic from A to B because traffic is coming "in" the interface where the access-group is applied

=========================================

Example 1: OUT

Host A <------- fa0/1 fa0/xx <------- Host B

int fa0/1

ip access-group 101 out

-in this scenario Host B would be source when you write your acl, host A would be destination.

-acl would inspect traffic from B to A because traffic is coming "out" the interface where the access-group is applied

=========================================

Any better?

t.khan · ‎02-02-2007

That makes sense. My problem with the whole issue was that traffic still is able to flow back an interface, I just assume that the ACL allows originated traffic back in. If you look at the above config that I had originally posted, it didn't make sense. It seemed that the ACL was backwards, but it was the NAT playing a role. I apologize for all the hassle. I do appreciate this forum, and thank everyone who contributed.