ACL and ICMP return traffic after pinging an external host

Unanswered Question
Oct 2nd, 2010

Quick Scenario:

Let's say I have a router with two interfaces, external (Internet facing) and internal (LAN facing) and I have a single access list applied to the external interface.

This is the access list:

Access-list 110 deny any any

This access list is applied to the external interface as follows:

Interface serial0

IP access-group 110 in

My questions are:

  1. If a user from the LAN pings an external host on the Internet, would the ICMP return traffic (timeout, echo-reply, destination unreach.. etc.) be allowed to pass through the access list successfully or would it be blocked??  And why?
  2. Do I need to explicity specify what ICMP return traffic to allow before that icmp traffic can pass through?

appreciate your response

Regards

Sherwin

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gatlin007 Sat, 10/02/2010 - 17:20

Let's assume this is an IOS router.

Let's also assume the following topology.


Let's also assume that the syntax used on ACL 110 is 'access-list 110 deny ip any any'

In this case the LAN host would send an ICMP echo.  *If* the echo gets to the internet host and isn't block along the path *and* the internet host sends a echo-reply that isn't blocked on the path back *then* ACL 110 would certainly kill the packet as it matches the deny action.

You could modify the ACL in this manner to allow the reply; but it would not be stateful and would allow all ICMP echo-reply:

access-list 110 permit icmp any any echo-reply
access-list 110 deny ip any any

By default routers are not stateful and will not be aware of what flows are initiated from a trusted interface.

If you'd like your router to be stateful and allow return traffic the firewall feature set is available.  If you don't have the firewall feature set I believe most feature sets support 'reflexive access-lists'.  This isn't as secure as stateful inspection but does account for return traffic.


Chris

Sherwin Clarke Sat, 10/02/2010 - 17:56

Thanks for the reply Chris,

Please bear with me just another quick one:

You said that routers are not stateful by default and assuming that is the case in this scenario, would the behavior be the same if that same user were to send an internet request to a web server?  i.e. would the return traffic be blocked by the same access list?

And finally, if the router become stateful (by inserting appropriate ip inspect commands) would the router now allow the return traffic inspite of the access-list?

Sherwin

Jernej Vodopivec Sat, 10/02/2010 - 22:12

>You said that routers are not stateful by default and assuming that  is the case in this scenario, would the behavior be the same if that  same user were to

> send an internet request to a web server?  i.e. would  the return traffic be blocked by the same access list?

Yes, the behavior is the same.

> And finally, if the router become stateful (by inserting appropriate ip inspect commands) would the router now allow the return traffic inspite of the

> access-list?

Yes, the router will allow traffic regardless of "static" access-list.

Regards,

Jernej

Actions

This Discussion

Related Content