ACL question

Answered Question
Sep 27th, 2006
User Badges:

hi,

i have one ACL applied on a router interface

will a traffic in the opposite direction and matching the statements be allowed to pass?

what if it does not match them?

example:

router(config)#access-list 111 deny tcp any any eq 23

router(config)#access-list 111 permit ip any any

router(config)#interf serial 0

router(config-if)#ip access-group 111 in

router#

Correct Answer by ajagadee about 10 years 10 months ago

Wassim,


Lets approach your configuration line by line.


"access-list 111 deny tcp any any eq 23"


Based on the above configuration, you are denying any traffic coming into Serial 0 with any TCP Source Port and Destined to TCP Port 23.


"access-list 111 permit ip any any"


Based on the above configuration, you are permitting all IP traffic from any source to any destination.


interf serial 0

ip access-group 111 in


The access-group is applied on the inside of Serial 0, meaning any traffic coming into Serial 0.


So, Any traffic going out Serial 0, the "access-group 111 in" is not referenced since the access-group is not applied outbound.When the return traffic comes into Serial 0, "access-group 111 in" is referred since it is applied inbound.


To anwer your specific question, if a telnet traffic goes outside from Serial 0, the "access-group 111 in" is not referenced. When the return traffic comes back into Serial 0, the access-group is referred. And since you have "access-list 111 permit ip any any" in your access-list statement, the return traffic will be permitted.


Dont get confused with the access-list statement that says "access-list 111 deny tcp any any eq 23". This is only for telnet traffic initiated from the outside. Any TCP Source Port destined to telnet (Port 23).


In your case, if telnet from Serial 0, the return traffic will have a source port of 23 (Telnet) and destination port of whatever you initiated with. So, it will match the second statement of your Access-list entry and be permitted.


For example:


Look at the debugs from R2 when we telnet from R1 E0/0 (10.1.1.1) to R2 E0/0(10.1.1.2).


*Sep 29 16:56:30.647: IP: tableid=0, s=10.1.1.1 (Ethernet0/0), d=10.1.1.2 (Ether

net0/0), routed via RIB

*Sep 29 16:56:30.647: IP: s=10.1.1.1 (Ethernet0/0), d=10.1.1.2 (Ethernet0/0), le

n 44, rcvd 3

*Sep 29 16:56:30.647: TCP src=61224, dst=23, seq=4205704356, ack=0, win=4128

SYN

*Sep 29 16:56:30.647: IP: tableid=0, s=10.1.1.2 (local), d=10.1.1.1 (Ethernet0/0

), routed via RIB

*Sep 29 16:56:30.647: IP: s=10.1.1.2 (local), d=10.1.1.1 (Ethernet0/0), len 44,

sending

*Sep 29 16:56:30.647: TCP src=23, dst=61224, seq=2269647429, ack=4205704357,

win=4128 ACK SYN



Let me know if it helps.


Regards,

Arul


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
ankbhasi Wed, 09/27/2006 - 03:45
User Badges:
  • Cisco Employee,

Hi Shadow,


ACL will only become active for incoming packtes as the access group is applied in "in" direction and not in reverse direction packet.


So any packtes hitting into the serial interface and if matched ACL will take the action but for any traffic moving out from the serial interface ACL will have n affect even if the condtion matches.


HTH


Ankur

gpulos Wed, 09/27/2006 - 05:16
User Badges:
  • Blue, 1500 points or more

NO,


traffic in the other direction will not be submitted to the ACL.


therefore two things occur:


1) there is no MATCH with the ACL since it is not queried

2) all outbound traffic will be forwarded and not restricted by the ACL


your access-list as shown above should deny all TELNET traffic coming inbound to the SERIAL 0 interface, while allowing all other traffic inbound.


there are no outbound restrictions from what you've shown.


please see the following link for more info:

http://www.cisco.com/en/US/products/ps6441/products_configuration_guide_chapter09186a0080716eba.html#wp1063324

shadowman724 Fri, 09/29/2006 - 08:36
User Badges:

i understood this:

il a telnet traffic is going out serial 0, it will be allowed although it matches the first statement of the ACL. is that right?

Correct Answer
ajagadee Fri, 09/29/2006 - 09:13
User Badges:
  • Cisco Employee,

Wassim,


Lets approach your configuration line by line.


"access-list 111 deny tcp any any eq 23"


Based on the above configuration, you are denying any traffic coming into Serial 0 with any TCP Source Port and Destined to TCP Port 23.


"access-list 111 permit ip any any"


Based on the above configuration, you are permitting all IP traffic from any source to any destination.


interf serial 0

ip access-group 111 in


The access-group is applied on the inside of Serial 0, meaning any traffic coming into Serial 0.


So, Any traffic going out Serial 0, the "access-group 111 in" is not referenced since the access-group is not applied outbound.When the return traffic comes into Serial 0, "access-group 111 in" is referred since it is applied inbound.


To anwer your specific question, if a telnet traffic goes outside from Serial 0, the "access-group 111 in" is not referenced. When the return traffic comes back into Serial 0, the access-group is referred. And since you have "access-list 111 permit ip any any" in your access-list statement, the return traffic will be permitted.


Dont get confused with the access-list statement that says "access-list 111 deny tcp any any eq 23". This is only for telnet traffic initiated from the outside. Any TCP Source Port destined to telnet (Port 23).


In your case, if telnet from Serial 0, the return traffic will have a source port of 23 (Telnet) and destination port of whatever you initiated with. So, it will match the second statement of your Access-list entry and be permitted.


For example:


Look at the debugs from R2 when we telnet from R1 E0/0 (10.1.1.1) to R2 E0/0(10.1.1.2).


*Sep 29 16:56:30.647: IP: tableid=0, s=10.1.1.1 (Ethernet0/0), d=10.1.1.2 (Ether

net0/0), routed via RIB

*Sep 29 16:56:30.647: IP: s=10.1.1.1 (Ethernet0/0), d=10.1.1.2 (Ethernet0/0), le

n 44, rcvd 3

*Sep 29 16:56:30.647: TCP src=61224, dst=23, seq=4205704356, ack=0, win=4128

SYN

*Sep 29 16:56:30.647: IP: tableid=0, s=10.1.1.2 (local), d=10.1.1.1 (Ethernet0/0

), routed via RIB

*Sep 29 16:56:30.647: IP: s=10.1.1.2 (local), d=10.1.1.1 (Ethernet0/0), len 44,

sending

*Sep 29 16:56:30.647: TCP src=23, dst=61224, seq=2269647429, ack=4205704357,

win=4128 ACK SYN



Let me know if it helps.


Regards,

Arul


Actions

This Discussion