11-19-2014 08:49 AM - edited 03-07-2019 09:34 PM
Hi
i have a doubt regarding the following implementation, could some one please highlight where i am going wrong ?
Server A ----- > RTR A
10.10.10.1 ACL_IN and ACL_OUT
I want 10.10.10.1 talk to RTR A - will i need to use established command ? if so do i need on ACL_IN and ACL_OUT ? (only Server A will initial a connection and RTR A will respond to it
11-19-2014 10:06 AM
Where is router A in relation to the server? If it's on the same subnet, you won't need to do anything special. The established command only works for tcp connections, and it allows return traffic back in without explicitly allowing the type of traffic. For example, if you wanted to allow 80 out, but block 80 in, you could do:
permit tcp any any eq 80 established
deny tcp any any 80
permit ip any any
So, it really depends on how the server is getting to the router. You probably don't need an established acl, especially if it's over a vpn...
HTH,
John
11-20-2014 02:24 AM
its tcp port - say for instance like 5900. So server A will need to talk to an interface on router which has ACL IN and OUT. so when a tcp packet comes from Server A doesnt the return path need to be openeded ? wont the ACL block the return it ? so if i use established on the ACL will this solve the problem ?
11-20-2014 03:15 AM
Personally, if you have a single port, I would recommend just allowing that port and not established. Something like:
acl_in
permit tcp any any eq 5900
acl_out
permit tcp any eq 5900 any
If you were to use tcp established, I believe you'd need to use it in both acls (technically exactly like above, but with the established keyword.)
HTH,
John
11-20-2014 03:17 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
1st question: yes
2nd question: depends on the ACL
3rd question: possibly, depends on how the ACE is constructed
What you might be missing, the TCP established option allows an easy general ACE.
I.e.
permit tcp any any established
Such an ACE assumes such packets are in response from something "inside".
In your case, as the server IP is known, you might just use the server's IP, e.g.:
permit ip host 10.10.10.1 any !for an ingress ACE
permit ip any host 10.10.10.1 !for an egress ACE
For these ACEs, you could further restrict them, such as to particular protocols, ports, or options like established. So, for example, your egress ACE might be
permit tcp any host 10.10.10.1 established
Which now only allows TCP traffic to your server that appears to be a response.
As the source is any, we don't know it's a response from the router. You could hard code that IP or possibly use reflective ACLs.
Normally, if you want to control traffic between known hosts, you identify their IP addresses and other traffic attributes, such as protocols and/or ports.
Again, established is normally used generically. However, it could be use, as above, to keep the router from starting a TCP flow to the server. For example, the server could open http/telnet/etc to the router, but the router could not open http/telnet/etc to the server.
11-19-2014 10:22 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
As John notes, "So, it really depends on how the server is getting to the router."
Assuming you have two way communication, an in or out ACL can block the communication. Ideally, though, you want to block traffic as early as possible. If the server is starting the communication, optimally you would block its traffic upon ingress to the router. This precludes the router, wasting "effort", from trying to do anything further with the ingress traffic.
As John also notes, you likely don't need to use the established option. It's often used to construct a simple "firewall" filter. Basically, "inside" flows are allowed outbound, but "outside" flows are only allowed in response to an "inside" flow (i.e. those that have the established bit set).
Also as John notes, established only works for TCP. NB: for non-TCP, reflective ACLs, can sometimes be used. (Reflective ACL dynamically builds a temporary ACL entry that "mirrors" an outbound flow.)
11-20-2014 05:19 AM
There has been good discussion about using tcp established and how it permits traffic coming back for something that was initiated inside. Also how it is used on an interface that is not the interface where the original traffic came from. So established would not usually be placed on the interface where the server connects. But there has not been much discussion about the access lists in and out that the original poster says are on the router interface. We do need to be sure that those access lists permit the traffic from and to the server. But tcp established would normally not be part of those access lists.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide