Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL - connections from router itself

Hello, I have the following ACL on a 2500 router using IOS 12.0:

The scenario, basically looks like this

LAN--"outside"-Router-"inside"-internet

(seems a little bit strange as to what the router considers in/out)

ip access-list extended INSIDE-E0

evaluate REFLEXIVE-0

permit tcp any host 10.10.10.2 eq 65534 reflect REFLEXIVE-1

deny ip any any log

ip access-list extended OUTSIDE-E0

deny ip 172.16.16.0 0.0.0.15 any

deny ip 172.16.16.16 0.0.0.15 any

permit tcp host 10.10.10.2 eq 65534 any reflect REFLEXIVE-0

permit tcp host 10.10.10.2 host 209.226.175.83 eq pop3 reflect REFLEXIVE-0

permit tcp host 10.10.10.2 host 209.226.175.63 eq smtp reflect REFLEXIVE-0

permit tcp host 10.10.10.2 any eq www reflect REFLEXIVE-0

permit tcp host 10.10.10.2 any eq 443 reflect REFLEXIVE-0

permit tcp host 10.10.10.3 any eq www reflect REFLEXIVE-0

permit tcp host 10.10.10.3 any eq 443 reflect REFLEXIVE-0

permit udp host 10.10.10.2 host 67.69.184.163 eq domain reflect REFLEXIVE-0

permit udp host 10.10.10.3 host 67.69.184.163 eq domain reflect REFLEXIVE-0

deny ip any any log

If, from the machine, i connect out to a host on the "inside", such as

telnet 10.10.10.6 80

The connection attempt does go out from the router locally, to the machine 10.10.10.6 (proven with packet capture on 10.10.10.6). Any other attempts, from machines on the other side of the interface are blocked. It just seems that connections from the router itself go out unfiltered. Any ideas on how to stop this?

2 REPLIES
Hall of Fame Super Bronze

Re: ACL - connections from router itself

> It just seems that connections from the router itself go out unfiltered.

You are correct. The router can't police itself and that's a default behavior on outgoing packets.

You can only deny/permit the ingress traffic /when originated from the router/, not the egress traffic.

Hall of Fame Super Silver

Re: ACL - connections from router itself

Actually there is a way to control outbound telnet from the router. You can configure

access-class out

on the vty ports, where is the number of a standard access list. Networks or subnets permitted in the access list can be telnetted to and any network or subnet not permitted can not be telnetted to.

But for other kinds of traffic, such as ping etc, Edison is correct that you can not filter with an access-group on an interface any traffic that is originated by the router itself.

HTH

Rick

142
Views
5
Helpful
2
Replies