ip access-group IN vs OUT

Unanswered Question
Feb 1st, 2007

I am trying to understand the difference between adding an ACL to an interface with the ip access-group in ip access-group out statement. I have 'in' on one interface, and 'out' on another, and they seem to behave differently. Both of the interfaces end up going out to the internet. A firewall allows the 192.168.3.0/24 range out to the internet. So the 192.168.150.0/24 network gets NAT'd to 192.168.3.100-150 (Overloaded), and the 192.168.3.0/24 interface just keeps the same IP.

See Below:

interface Ethernet1/0

description Lab Network 192.168.150.x

ip address 192.168.150.1 255.255.255.0

ip access-group LAB_ACL in

ip nat inside

full-duplex

ntp disable

<-- cut -->

ip access-list extended LAB_ACL

remark

remark #######################################################

remark

permit ip 192.168.150.0 0.0.0.255 host 4.2.2.1

permit ip 192.168.150.0 0.0.0.255 host 4.2.2.2

permit ip 192.168.150.0 0.0.0.255 65.200.222.0 0.0.0.63

permit ip 192.168.150.0 0.0.0.255 65.200.10.0 0.0.0.255

remark #######################################################

remark

remark Deny all

deny ip any any log

remark #######################################################

*******************

interface FastEthernet0/1

description Corporate NAT Interface

ip address 192.168.3.2 255.255.255.0

ip access-group ACL_allowed out

ip nat outside

speed 100

full-duplex

<-- cut -->

ip access-list extended ACL_allowed

remark

remark #######################################################

remark Deny standard microsoft ports

deny tcp any any eq 135

deny tcp any any eq 137

deny tcp any any eq 138

deny tcp any any eq 139

deny udp any any eq 135

deny udp any any eq netbios-ns

deny udp any any eq netbios-dgm

deny udp any any eq netbios-ss

deny tcp any any eq 445

deny udp any any eq 445

remark

remark #######################################################

remark Permit only traffic with local network

permit ip 192.168.3.0 0.0.0.255 any

remark

remark #######################################################

remark Deny all

deny ip any any log

remark #######################################################

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rdessert Thu, 02/01/2007 - 10:19

The difference in applying an ACL in or out is pretty easy. When you apply an ACL "in", the router examines all traffic it RECEIVES on the interface against the ACL.

When you apply an ACL "out" on an interface the router examines any traffic attempting to leave that interface against the ACL.

Also, I take it that your firewall is connected to your interface FastEthernet0/1. ANd also that you are NATing the 192.168.150.0/24 to 192.168.3.100-150 (Overloaded) on this router?

I imagine you are using NAT or PAT on the firewall for 192.168.3.0/24 traffic to access the internet. If you do not want your 192.168.150.0/24 traffic to go to the internet, I suggest removing the NATing on the router.

Actions

This Discussion