cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3063
Views
5
Helpful
2
Replies

Two way Access-list

s4sandyad
Level 1
Level 1

Hi,

1.1.1.1   fa0/0   R1   fa0/1  2.2.2.2

Router R1 have these two hosts at two different side, may or may not directly connected...

1) both host have two way access and access list is applied only on fa0/1 in direction.

    access-list 101 permit tcp host 2.2.2.2 host 1.1.1.1

only this didn't work, i had to also add, which i seems logic less but it worked....i.e.

    access-list 101 permit tcp host 1.1.1.1 host 2.2.2.2

where i have applied access list in direction on fa0/1; mean source must be only 2.2.2.2 n destination must be 1.1.1.1

then why second statement was necessary; is there any logic for tcp socket or etc behind it....

 

2) in this second case; both host have two way access for specific port say telnet; and access list is applied on both interfaces fa0/0 and fa0/1 inward direction:

on fa0/0

access-list 101 permit tcp host 1.1.1.1 host 2.2.2.2 eq telnet

access-list 101 permit tcp host 2.2.2.2 eq telnet host 1.1.1.1

 

on fa0/1

access-list 102 permit tcp host 2.2.2.2 host 1.1.1.1 eq telnet

access-list 102 permit tcp host 1.1.1.1 eq telnet host 2.2.2.2

 

why all bold statements are required....?? confused..

please explain me n please suggest /provide me some doc to clear such concepts regarding access-list.

 

S@ndy

 

 

2 Replies 2

allagulov
Level 1
Level 1

Hi

missing one main point about firewalls )))

In 1st case with ths rule : access-list 101 permit tcp host 2.2.2.2 host 1.1.1.1 you are allowing traffic from 2.2.2.2 to 1.1.1.1 but you need second out acl that permits reply traffic from 1.1.1.1 to 2.2.2.2

Access list is stateless.

Ganesh Hariharan
VIP Alumni
VIP Alumni

Hi Sandy,

I hope the below definition of direction of applying ACL in router would help you concept

Out Traffic that has already been through the router and leaves the interface. The source is where it has been, on the other side of the router, and the destination is where it goes. 

In —Traffic that arrives on the interface and then goes through the router. The source is where it has been and the destination is where it goes, on the other side of the router. 

Inbound —If the access list is inbound, when the router receives a packet, the Cisco IOS software checks the criteria statements of the access list for a match. If the packet is permitted, the software continues to process the packet. If the packet is denied, the software discards the packet.

Outbound—If the access list is outbound, after the software receives and routes a packet to the outbound interface, the software checks the criteria statements of the access list for a match. If the packet is permitted, the software transmits the packet. If the packet is denied, the software discards the packet. 

Note :- The in ACL has a source on a segment of the interface to which it is applied and a destination off of any other interface.

The out ACL has a source on a segment of any interface other than the interface to which it is applied and a destination off of the interface to which it is applied.

Check out the below link from cisco on more clear explanation ..

http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html

Hope it Helps..

-GI

Rate if it Helps..

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: