Access Control List

junshah22 · ‎07-23-2007

Hello all,

If I applied an acl like...

access-list 101 deny tcp host 192.168.15.10 host 192.168.17.10 eq 23

and apply this acl inbound near to source router as Extended ACL should be placed near to source....

If I change its direction i.e. inbound fa0/0 to outbound to serial 0/0 interface what will be its impact...

It will work as same as it was doing while placing inbound or what???

Regards,

Junaid

kerek · ‎07-23-2007

Hi,

The result will be the same, but the main difference is until with first case (inbound) the packet is dropped without further processing the outbound filtering will be taken place after the packet went through the whole routing process. It depends what you want to achieve.

Krisztian

purohit_810 · ‎07-23-2007

Hi,

See, Access-list is set of art...

We can say.

If you apply at Serial Interface... It will be apply for only that serial interface for blocking Port 23.

If you Apply on Fa0/0, whatever traffic for Serial 0, 1 ... so on. It will filter for all of them.

Depend upon you where would you put, Depend upon that you will get great result.

Regards,

Dharmesh Purohit

Richard Burts · ‎07-23-2007

Junaid

There is another aspect of this to consider. The extended access list specifies a source address and mask and a destination address and mask. If you change the access list from inbound to outbound it reverses which address is the source and which address is the destination.

HTH

Rick

HTH

Rick

junshah22 · ‎07-24-2007

Hello Rick,

Thanks for your reply,

Can you please explain me in details how it reverses...

Regards,

Junaid

Pavel Bykov · ‎07-23-2007

Just like Rick pointed out - direction is very important for ACL.

OUT is direction from ROUTER to the INTERFACE (be it VLAN, FastEthernet, Serial or other)

IN is direction from INTERFACE to the ROUTER.

If you apply it in the wrong direction it does not have to match anything.

Also, all ACL have implicit deny at the end, meaning that your ACL with one line would drop all the traffic (invisible "deny ip any any" at the end)

junshah22 · ‎07-25-2007

Dear All,

can anybody explain me how it reverses its addresses...

Regards,

Junaid

kerek · ‎07-25-2007

Hi,

Let's consider the following:

You have a network on the LAN interface with 192.168.110.0/24 and want to restrict the 192.168.100.1 address to reach the 192.168.110.1.

access-list 101 deny ip host 192.168.100.1 host 192.168.110.1

access-list 101 permit ip any any

If you apply this rule to outbound direction to the ethernet interface you achieve that.

You can achieve the same by apply this rule to inbound on the interface facing to the WAN (like serial0). The result almost the same apart from that with the second case the packet will not be allowed to enter the router therefore you can save some resource.

Hope it clears,

Krisztian

Richard Burts · ‎07-25-2007

Junaid

I like the idea of Krisztian to create a small example to explain the issue. I would suggest a slightly different way to explain it. Using his example 192.168.110.1 is the inside address and 192.168.100.1 is outside. Then we need to consider which interface and which direction the access list will be applied. His example assumes an Ethernet and a serial. So lets start with the Ethernet interface. If we apply the access list inbound then the traffic is from inside toward outside and the inside address is the source and the outside address is the destination and the access list would be deny host 192.168.110.1 host 192.168.100.1. On the same interface if we apply the access list as outbound then the traffic is from outside to inside and the outside address is the source and the inside address is the destination and the access list would be deny host 192.168.100.1 host 192.168.110.1.

So the essential point is that the decision of which is source and which is destination depends on whether we are looking at traffic inbound or outbound.

I hope that this explanation helps you to understand this concept.

HTH

Rick

HTH

Rick