cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
426
Views
5
Helpful
2
Replies

ACL - connections from router itself

james_stickland
Level 1
Level 1

Hello, I have the following ACL on a 2500 router using IOS 12.0:

The scenario, basically looks like this

LAN--"outside"-Router-"inside"-internet

(seems a little bit strange as to what the router considers in/out)

ip access-list extended INSIDE-E0

evaluate REFLEXIVE-0

permit tcp any host 10.10.10.2 eq 65534 reflect REFLEXIVE-1

deny ip any any log

ip access-list extended OUTSIDE-E0

deny ip 172.16.16.0 0.0.0.15 any

deny ip 172.16.16.16 0.0.0.15 any

permit tcp host 10.10.10.2 eq 65534 any reflect REFLEXIVE-0

permit tcp host 10.10.10.2 host 209.226.175.83 eq pop3 reflect REFLEXIVE-0

permit tcp host 10.10.10.2 host 209.226.175.63 eq smtp reflect REFLEXIVE-0

permit tcp host 10.10.10.2 any eq www reflect REFLEXIVE-0

permit tcp host 10.10.10.2 any eq 443 reflect REFLEXIVE-0

permit tcp host 10.10.10.3 any eq www reflect REFLEXIVE-0

permit tcp host 10.10.10.3 any eq 443 reflect REFLEXIVE-0

permit udp host 10.10.10.2 host 67.69.184.163 eq domain reflect REFLEXIVE-0

permit udp host 10.10.10.3 host 67.69.184.163 eq domain reflect REFLEXIVE-0

deny ip any any log

If, from the machine, i connect out to a host on the "inside", such as

telnet 10.10.10.6 80

The connection attempt does go out from the router locally, to the machine 10.10.10.6 (proven with packet capture on 10.10.10.6). Any other attempts, from machines on the other side of the interface are blocked. It just seems that connections from the router itself go out unfiltered. Any ideas on how to stop this?

2 Replies 2

Edison Ortiz
Hall of Fame
Hall of Fame

> It just seems that connections from the router itself go out unfiltered.

You are correct. The router can't police itself and that's a default behavior on outgoing packets.

You can only deny/permit the ingress traffic /when originated from the router/, not the egress traffic.

Actually there is a way to control outbound telnet from the router. You can configure

access-class out

on the vty ports, where is the number of a standard access list. Networks or subnets permitted in the access list can be telnetted to and any network or subnet not permitted can not be telnetted to.

But for other kinds of traffic, such as ping etc, Edison is correct that you can not filter with an access-group on an interface any traffic that is originated by the router itself.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: