Curious: can a WAN ACL block outgoing http, or must a LAN ACL be used?

Unanswered Question
Apr 28th, 2007

This works:

access-list 151 remark Block insecure connections to's current (as of ACL edit time) IP.

access-list 151 deny tcp any host eq www log

where ACL 151 is applied to the LAN interface:

ip access-group 151 in

But shouldn't

access-list 150 deny tcp host eq www any log

where ACL 150 is applied to the WAN interface:

ip access-group 150 in

have worked too?

It didn't work. Is this because the connection starts from the inside, and gets established before this rule has a chance to stop it, and the implicit rules for established traffic make this ineffectual or what? Just trying to learn.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Jon Marshall Sat, 04/28/2007 - 12:15


Router access-list are not stateful, unless you are usng CBAC which is the IOS firewall.

Are these the full access-lists that you applied. Also do you have an ip host mapping for on the router ?


melvey Sun, 04/29/2007 - 16:30

I'm using a 1721 (running IOS: c1700-advsecurityk9-mz.124-3a.bin).

No, the ACLs are longer (ACL 150 is LONG; I'd have to sanitize it extensively to post it.) I guess you think there may be a rule of higher priority that is overriding my otherwise correct-looking rule. Is that your thinking? If so, I can clean it up and post it. (I just looked over 150 again, and it looks fine.)

The router converts the hostname to an IP when it's entered, as I indicate in the comment, perhaps a bit cryptically. If I did a show run, it had been replaced with the IP that was assigned to that hostname at the time - admittedly, a shortcoming.)


Jon Marshall Sun, 04/29/2007 - 23:01


Could you post the full router config (minus any sensitive information)



Richard Burts Mon, 04/30/2007 - 07:10

As Jon indicates a sanitized config would be helpful. But before you spend time doing that, perhaps you can tell us whether there is a permit tcp established rule in the access list before the rule for myaccount... If so that would explain the behavior: if someone inside initiated a connection to myaccount... the return packets have the ACK bit set and the established rule will let them through, and it never gets to your more specific rule.

I agree that the syntax of what you posted looks ok and should work, unless there is something in the rules that applies before you get to this rule.




This Discussion