Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
360
Views
10
Helpful
4
Replies

Curious: can a WAN ACL block outgoing http, or must a LAN ACL be used?

melvey
Level 1
Level 1

‎04-28-2007 06:21 AM - edited ‎03-11-2019 03:06 AM

This works:

access-list 151 remark Block insecure connections to myaccount.simplicato.com's current (as of ACL edit time) IP.

access-list 151 deny tcp any host myaccount.simplicato.com eq www log

where ACL 151 is applied to the LAN interface:

ip access-group 151 in

But shouldn't

access-list 150 deny tcp host myaccount.simplicato.com eq www any log

where ACL 150 is applied to the WAN interface:

ip access-group 150 in

have worked too?

It didn't work. Is this because the connection starts from the inside, and gets established before this rule has a chance to stop it, and the implicit rules for established traffic make this ineffectual or what? Just trying to learn.

Labels:
0 Helpful
4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

‎04-28-2007 12:15 PM

Hi

Router access-list are not stateful, unless you are usng CBAC which is the IOS firewall.

Are these the full access-lists that you applied. Also do you have an ip host mapping for myaccount.simplicato.com on the router ?

Jon

0 Helpful

melvey
Level 1
Level 1
In response to Jon Marshall

‎04-29-2007 04:30 PM

I'm using a 1721 (running IOS: c1700-advsecurityk9-mz.124-3a.bin).

No, the ACLs are longer (ACL 150 is LONG; I'd have to sanitize it extensively to post it.) I guess you think there may be a rule of higher priority that is overriding my otherwise correct-looking rule. Is that your thinking? If so, I can clean it up and post it. (I just looked over 150 again, and it looks fine.)

The router converts the hostname to an IP when it's entered, as I indicate in the comment, perhaps a bit cryptically. If I did a show run, it had been replaced with the IP that was assigned to that hostname at the time - admittedly, a shortcoming.)

Thanks!

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to melvey

‎04-29-2007 11:01 PM

Hi

Could you post the full router config (minus any sensitive information)

Thanks

Jon

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Jon Marshall

‎04-30-2007 07:10 AM

As Jon indicates a sanitized config would be helpful. But before you spend time doing that, perhaps you can tell us whether there is a permit tcp established rule in the access list before the rule for myaccount... If so that would explain the behavior: if someone inside initiated a connection to myaccount... the return packets have the ACK bit set and the established rule will let them through, and it never gets to your more specific rule.

I agree that the syntax of what you posted looks ok and should work, unless there is something in the rules that applies before you get to this rule.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card