Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
726
Views
8
Helpful
11
Replies

router acl

Go to solution
suthomas1
Level 6
Level 6

‎10-19-2009 11:21 PM - edited ‎03-06-2019 08:11 AM

If we create an access list to allow a data traffic from inside to outside of the router, will the return traffic be allowed back if it belongs to the same session or do we need to have an acl on the reverse direction also.

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to suthomas1

‎10-20-2009 05:35 AM

Sunny

"The second part of my query was to understand how the acl will keep track of it since it is not being kept as a session as a firewall does."

That is the key point, the acl does not keep track of the session. It simply checks the IP addresses and ports in the IP/TCP headers. Once your inbound acl has allowed the packet based on the IP/ports then that's it. The router doesn't keep track of what happened in the way a firewall does. It simply a one off check done against an acl so each packet is seen individually ie. not part of a session.

Where the confusion may be coming from is that the 2 end devices ie. the server and client do indeed have a concept of a TCP session with TCP flags and sequence numbers but the L3 routers in between don't.

"Whether the return connection would still work/be complete if the external server in response gets on to the host to another port instead of the original random port that the host used."

Generally speaking no it wouldn't work but not because of anything happening on the router or to do with the acl. The problem would be the client would be expecting the response to the same random port and if it arrived with a different destination random port the client would not be able to realise it was part of the same TCP session.

Jon

View solution in original post

0 Helpful
11 Replies 11

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎10-19-2009 11:44 PM

Sunny

The idea of return traffic within the same session is not applicable to standard router acls.

Reflexive access-lists and the "established" keyword do give some functionality like that but standard acls don't. So in answer to your question it will be allowed back in as long as there is no acl on the outside interface that blocks it. If there is no acl on the outside interface at all then yes it will be allowed back in.

Jon

Go to solution
suthomas1
Level 6
Level 6
In response to Jon Marshall

‎10-19-2009 11:52 PM

ok..so lets say if i am initiating data from a client inside my network on some random port and on to a destination with port 80. If there is only an acl to allow specific clients from inside to outside and no other acl on the return diection i.e on the outside, will the return traffic be permitted?

In this case, how will the return traffic come back to same random port to the inside client.

Thanks!

[EDIT]: we are using an extended acl.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to suthomas1

‎10-20-2009 12:01 AM

Sunny

"If there is only an acl to allow specific clients from inside to outside and no other acl on the return diection i.e on the outside, will the return traffic be permitted? "

Yes it will be allowed.

"In this case, how will the return traffic come back to same random port to the inside client."

Not sure i follow here. This is nothing to do with acls as such just the way TCP works ie. client uses random port, server well known port. All traffic to server will use the known well destination port, all traffic to client will use the random destination port.

Note that i'm assuming your acl is only applied inbound on the inside interface. If it was also applied outbound then this could well affect return traffic.

Jon

0 Helpful

Go to solution
suthomas1
Level 6
Level 6
In response to Jon Marshall

‎10-20-2009 12:37 AM

Thanks for your answer. Referring to the attached diag, will the return traffic from the server come back to client on the same source port that client initiated the session outbound.To verify if return is allowed without any acl.

Thanks.

11605-ikii.vsd
0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to suthomas1

‎10-20-2009 03:21 AM

Sunny

Can't read visios, could you repost as .jpg/.png

For the vast majority of TCP traffic the same ports are used for the entire conversation. Some TCP apps do change ports eg. FTP is a good example but most don't.

Jon

0 Helpful

Go to solution
suthomas1
Level 6
Level 6
In response to Jon Marshall

‎10-20-2009 03:58 AM

jpeg image is attached.

eg. i define foll acl on the lan interface of router.

acl 120 permit tcp host 192.168.200.2 10.56.20.0 255.255.255.0 eq range 5000 5200.

Now this would permit the outbound traffic from clients with 192.168.100.2 ip to server segment on 10.56.20 range on ports 5000-5200, Would the return traffic for this flow be permitted if am not applying any acl on the outside interface of the router.

Thanks!

19 KB
0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to suthomas1

‎10-20-2009 04:13 AM

Sunny

Your diagram doesn't match your acl. Your acl allows host 192.168.200.2 (and only this host) to connect to any device on the 10.56.20.0/24 range on ports 5000 - 5200.

Your diagram mentions port 443 ie. https. If the ports 5000 to 5200 were meant to be the source ports from the client your acl should read -

access-list 120 permit tcp host 192.168.200.2 eq range 5000 5200 10.56.20.0 0.0.0.255 (note the inverse mask)

but even that doesn't make a lot of sense because you generally don't know which random ports the client is going to use.

Could you perhaps give more detail as to what exactly you want to do ?

Jon

0 Helpful

Go to solution
suthomas1
Level 6
Level 6
In response to Jon Marshall

‎10-20-2009 04:49 AM

Oh..Please accept my apologies for the confusion. here's the scenario:

Local Hosts 192.168.200.2 - 192.168.200.254

External Servers 10.56.20.0 0.0.0.255 has services on ports 5000 to 5200.

Local hosts will be accessing this services.

Now i will only apply an acl inbound on the lan interface as

access-list 120 permit tcp host 192.168.200.0 0.0.0.255 10.56.20.0 0.0.0.255 eq range 5000 5200.

Queries:

1. will the return traffic back from server to the clients be allowed in without any block or does it need explicit acl.( i believe it should be allowed in as there is no acl , but pls correct if am wrong)

2. if one of the local client initiates session on its random port 1040 to the server on 5200, will the return traffic from server come back to this client on the same port 1040.(now destination)

How would this workout if there is no sessions being maintained.

Thanks!

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to suthomas1

‎10-20-2009 05:07 AM

Sunny

No apologies necessary.

1) No acl needed.

2) Yes it will.

"How would this workout if there is no sessions being maintained."

Not sure i follow. It works simply because of the src/dst IPs and src/dst ports but that is not a session as a firewall refers to a session. But it is enough for an acl to keep track of.

Jon

Go to solution
suthomas1
Level 6
Level 6
In response to Jon Marshall

‎10-20-2009 05:29 AM

Appreciate your willingness to help!

The second part of my query was to understand how the acl will keep track of it since it is not being kept as a session as a firewall does.

& Whether the return connection would still work/be complete if the external server in response gets on to the host to another port instead of the original random port that the host used.

Thanks.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to suthomas1

‎10-20-2009 05:35 AM

Sunny

"The second part of my query was to understand how the acl will keep track of it since it is not being kept as a session as a firewall does."

That is the key point, the acl does not keep track of the session. It simply checks the IP addresses and ports in the IP/TCP headers. Once your inbound acl has allowed the packet based on the IP/ports then that's it. The router doesn't keep track of what happened in the way a firewall does. It simply a one off check done against an acl so each packet is seen individually ie. not part of a session.

Where the confusion may be coming from is that the 2 end devices ie. the server and client do indeed have a concept of a TCP session with TCP flags and sequence numbers but the L3 routers in between don't.

"Whether the return connection would still work/be complete if the external server in response gets on to the host to another port instead of the original random port that the host used."

Generally speaking no it wouldn't work but not because of anything happening on the router or to do with the acl. The problem would be the client would be expecting the response to the same random port and if it arrived with a different destination random port the client would not be able to realise it was part of the same TCP session.

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card