Curious: can a WAN ACL block outgoing http, or must a LAN ACL be used?

Unanswered Question
Apr 28th, 2007

This works:

access-list 151 remark Block insecure connections to myaccount.simplicato.com's current (as of ACL edit time) IP.

access-list 151 deny tcp any host myaccount.simplicato.com eq www log

where ACL 151 is applied to the LAN interface:

ip access-group 151 in

But shouldn't

access-list 150 deny tcp host myaccount.simplicato.com eq www any log

where ACL 150 is applied to the WAN interface:

ip access-group 150 in

have worked too?

It didn't work. Is this because the connection starts from the inside, and gets established before this rule has a chance to stop it, and the implicit rules for established traffic make this ineffectual or what? Just trying to learn.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jon Marshall Sat, 04/28/2007 - 12:15

Hi

Router access-list are not stateful, unless you are usng CBAC which is the IOS firewall.

Are these the full access-lists that you applied. Also do you have an ip host mapping for myaccount.simplicato.com on the router ?

Jon

melvey Sun, 04/29/2007 - 16:30

I'm using a 1721 (running IOS: c1700-advsecurityk9-mz.124-3a.bin).

No, the ACLs are longer (ACL 150 is LONG; I'd have to sanitize it extensively to post it.) I guess you think there may be a rule of higher priority that is overriding my otherwise correct-looking rule. Is that your thinking? If so, I can clean it up and post it. (I just looked over 150 again, and it looks fine.)

The router converts the hostname to an IP when it's entered, as I indicate in the comment, perhaps a bit cryptically. If I did a show run, it had been replaced with the IP that was assigned to that hostname at the time - admittedly, a shortcoming.)

Thanks!

Jon Marshall Sun, 04/29/2007 - 23:01

Hi

Could you post the full router config (minus any sensitive information)

Thanks

Jon

Richard Burts Mon, 04/30/2007 - 07:10

As Jon indicates a sanitized config would be helpful. But before you spend time doing that, perhaps you can tell us whether there is a permit tcp established rule in the access list before the rule for myaccount... If so that would explain the behavior: if someone inside initiated a connection to myaccount... the return packets have the ACK bit set and the established rule will let them through, and it never gets to your more specific rule.

I agree that the syntax of what you posted looks ok and should work, unless there is something in the rules that applies before you get to this rule.

HTH

Rick

Actions

This Discussion