ACL - connections from router itself

Unanswered Question
Oct 24th, 2007
User Badges:

Hello, I have the following ACL on a 2500 router using IOS 12.0:


The scenario, basically looks like this


LAN--"outside"-Router-"inside"-internet

(seems a little bit strange as to what the router considers in/out)


ip access-list extended INSIDE-E0

evaluate REFLEXIVE-0

permit tcp any host 10.10.10.2 eq 65534 reflect REFLEXIVE-1

deny ip any any log

ip access-list extended OUTSIDE-E0

deny ip 172.16.16.0 0.0.0.15 any

deny ip 172.16.16.16 0.0.0.15 any

permit tcp host 10.10.10.2 eq 65534 any reflect REFLEXIVE-0

permit tcp host 10.10.10.2 host 209.226.175.83 eq pop3 reflect REFLEXIVE-0

permit tcp host 10.10.10.2 host 209.226.175.63 eq smtp reflect REFLEXIVE-0

permit tcp host 10.10.10.2 any eq www reflect REFLEXIVE-0

permit tcp host 10.10.10.2 any eq 443 reflect REFLEXIVE-0

permit tcp host 10.10.10.3 any eq www reflect REFLEXIVE-0

permit tcp host 10.10.10.3 any eq 443 reflect REFLEXIVE-0

permit udp host 10.10.10.2 host 67.69.184.163 eq domain reflect REFLEXIVE-0

permit udp host 10.10.10.3 host 67.69.184.163 eq domain reflect REFLEXIVE-0

deny ip any any log




If, from the machine, i connect out to a host on the "inside", such as


telnet 10.10.10.6 80


The connection attempt does go out from the router locally, to the machine 10.10.10.6 (proven with packet capture on 10.10.10.6). Any other attempts, from machines on the other side of the interface are blocked. It just seems that connections from the router itself go out unfiltered. Any ideas on how to stop this?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Edison Ortiz Wed, 10/24/2007 - 20:53
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

> It just seems that connections from the router itself go out unfiltered.


You are correct. The router can't police itself and that's a default behavior on outgoing packets.


You can only deny/permit the ingress traffic /when originated from the router/, not the egress traffic.



Richard Burts Thu, 10/25/2007 - 08:03
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Actually there is a way to control outbound telnet from the router. You can configure

access-class out

on the vty ports, where is the number of a standard access list. Networks or subnets permitted in the access list can be telnetted to and any network or subnet not permitted can not be telnetted to.


But for other kinds of traffic, such as ping etc, Edison is correct that you can not filter with an access-group on an interface any traffic that is originated by the router itself.


HTH


Rick

Actions

This Discussion