02-01-2007 07:06 AM - edited 03-05-2019 02:06 PM
I am trying to understand the difference between adding an ACL to an interface with the ip access-group in ip access-group out statement. I have 'in' on one interface, and 'out' on another, and they seem to behave differently. Both of the interfaces end up going out to the internet. A firewall allows the 192.168.3.0/24 range out to the internet. So the 192.168.150.0/24 network gets NAT'd to 192.168.3.100-150 (Overloaded), and the 192.168.3.0/24 interface just keeps the same IP.
See Below:
interface Ethernet1/0
description Lab Network 192.168.150.x
ip address 192.168.150.1 255.255.255.0
ip access-group LAB_ACL in
ip nat inside
full-duplex
ntp disable
<-- cut -->
ip access-list extended LAB_ACL
remark
remark #######################################################
remark
permit ip 192.168.150.0 0.0.0.255 host 4.2.2.1
permit ip 192.168.150.0 0.0.0.255 host 4.2.2.2
permit ip 192.168.150.0 0.0.0.255 65.200.222.0 0.0.0.63
permit ip 192.168.150.0 0.0.0.255 65.200.10.0 0.0.0.255
remark #######################################################
remark
remark Deny all
deny ip any any log
remark #######################################################
*******************
interface FastEthernet0/1
description Corporate NAT Interface
ip address 192.168.3.2 255.255.255.0
ip access-group ACL_allowed out
ip nat outside
speed 100
full-duplex
<-- cut -->
ip access-list extended ACL_allowed
remark
remark #######################################################
remark Deny standard microsoft ports
deny tcp any any eq 135
deny tcp any any eq 137
deny tcp any any eq 138
deny tcp any any eq 139
deny udp any any eq 135
deny udp any any eq netbios-ns
deny udp any any eq netbios-dgm
deny udp any any eq netbios-ss
deny tcp any any eq 445
deny udp any any eq 445
remark
remark #######################################################
remark Permit only traffic with local network
permit ip 192.168.3.0 0.0.0.255 any
remark
remark #######################################################
remark Deny all
deny ip any any log
remark #######################################################
Solved! Go to Solution.
02-01-2007 12:27 PM
Think of it as this...
"in" is traffic into the port
"out" is traffic out of the port
Therefore you have to be careful when you write your acl's that your source and destination are not reversed.
02-01-2007 07:38 AM
Tahir
I agree that the implications of access-group in and access-group out are subtle and sometimes a bit difficult to understand. It helps me to think about them this way: in and out are from the prespective of the router. So an access-group out is traffic that the router is sending out to the devices on that interface segment and access-group in is receiving traffic from the devices on that interface segment.
So your first access list is on interface Ethernet1/0 and is applied inbound, so the devices on that subnet are sending - and so the source address should be 192.168.150.x. The access list is written with 192.168.150.0 as the source and the access list should work.
Your second access list is on interface FastEthernet0/1 and is applied out, so the 192.168.3.x should be the destination. But the permit statement (permit ip 192.168.3.0 0.0.0.255 any) is using it as the source. So it looks to me like this access list should not be working unless you assign it inbound or reverse the addresses in the access list.
HTH
Rick
02-01-2007 07:51 AM
Rick,
That is the understanding I was under, however it does not seem to work that way. If I reverse the second access-group by changing it from 'out' to 'in', it fails.
Keeping the exact same access list I get these errors:
ip access-list extended ACL_allowed
remark
remark #######################################################
remark Deny standard microsoft ports
deny tcp any any eq 135
deny tcp any any eq 137
deny tcp any any eq 138
deny tcp any any eq 139
deny udp any any eq 135
deny udp any any eq netbios-ns
deny udp any any eq netbios-dgm
deny udp any any eq netbios-ss
deny tcp any any eq 445
deny udp any any eq 445
remark
remark #######################################################
remark Permit only traffic with local network
permit ip 192.168.3.0 0.0.0.255 any
remark
remark #######################################################
remark Deny all
deny ip any any log
remark #######################################################
<--cut-->
interface FastEthernet0/1
description Corporate NAT Interface
ip address 192.168.3.2 255.255.255.0
ip access-group ACL_allowed IN <--- Changed from out to in.
ip nat outside
speed 100
full-duplex
Below are all the UDP DNS requests and NTP requests that now fail when changed to 'IN'
Feb 1 2007 10:46:50: %SEC-6-IPACCESSLOGP: list ACL_allowed denied udp 192.5.41.41(123) -> 192.168.3.2(123), 1 packet
Feb 1 2007 10:46:59: %SEC-6-IPACCESSLOGP: list ACL_allowed denied udp 4.2.2.2(53) -> 192.168.3.105(48279), 1 packet
Feb 1 2007 10:47:19: %SEC-6-IPACCESSLOGP: list ACL_allowed denied udp 4.2.2.2(53) -> 192.168.3.105(48280), 1 packet
Feb 1 2007 10:47:39: %SEC-6-IPACCESSLOGP: list ACL_allowed denied udp 4.2.2.2(53) -> 192.168.3.105(48282), 1 packet
Feb 1 2007 10:47:47: %SEC-6-IPACCESSLOGP: list ACL_allowed denied udp 4.2.2.2(53) -> 192.168.3.105(48284), 1 packet
Feb 1 2007 10:48:01: %SEC-6-IPACCESSLOGP: list ACL_allowed denied udp 4.2.2.2(53) -> 192.168.3.105(48285), 1 packet
Feb 1 2007 10:48:14: %SEC-6-IPACCESSLOGP: list ACL_allowed denied udp 4.2.2.2(53) -> 192.168.3.105(48287), 1 packet
Feb 1 2007 10:48:16: %SEC-6-IPACCESSLOGP: list ACL_allowed denied udp 4.2.2.2(53) -> 192.168.3.105(48288), 1 packet
Feb 1 2007 10:48:46: %SEC-6-IPACCESSLOGP: list ACL_allowed denied udp 4.2.2.2(53) -> 192.168.3.105(48290), 1 packet
Feb 1 2007 10:48:51: %SEC-6-IPACCESSLOGP: list ACL_allowed denied udp 4.2.2.2(53) -> 192.168.3.105(48291), 1 packet
Below are the IP NAT translations that show the .3.x network (NATd for internet) to the 150.x network
router>show ip nat translatations
--- 192.168.3.79 192.168.2.79 --- ---
--- 192.168.3.80 192.168.2.80 --- ---
udp 192.168.3.105:1026 192.168.150.50:1026 4.2.2.2:53 4.2.2.2:53
udp 192.168.3.105:48282 192.168.150.50:48282 4.2.2.2:53 4.2.2.2:53
udp 192.168.3.105:48284 192.168.150.50:48284 4.2.2.2:53 4.2.2.2:53
udp 192.168.3.105:48285 192.168.150.50:48285 4.2.2.2:53 4.2.2.2:53
udp 192.168.3.105:48287 192.168.150.50:48287 4.2.2.2:53 4.2.2.2:53
udp 192.168.3.105:48288 192.168.150.50:48288 4.2.2.2:53 4.2.2.2:53
02-01-2007 08:44 AM
I should also note that there is NAT on the Fastethernet 0/1 interface. (It is in the config), but that all the 150.x traffic is nat'd to a pool from 192.168.3.100-192.168.3.105, then sent out the 192.168.3.x interface. I am not sure if that has an effect on this access-group problem.
02-01-2007 10:47 AM
yes, NAT indeed has an implication on the processing of ACLs. The router first translate the address of the egress packet and checks the ACL afterwards. Therefore, in your case the source ip of the outgoing packet is picked from the 192.168.3.100-192.168.3.105 pool, and the out ACL will allow this traffic sent out. Eventually, in the case of NAT you have to design ACLs by considereing this.
For further explanation of the order of operation check this : http://www.cisco.com/warp/public/556/5.html
02-01-2007 12:07 PM
So what ultimately is the difference between an 'IN' and an 'OUT' in the ip access-group command? It still does not make sense to me.
Thanks!
02-01-2007 12:26 PM
The difference in applying an ACL in or out is pretty easy. When you apply an ACL "in", the router examines all traffic it RECEIVES on the interface against the ACL.
When you apply an ACL "out" on an interface the router examines any traffic attempting to leave that interface against the ACL.
02-01-2007 12:27 PM
Think of it as this...
"in" is traffic into the port
"out" is traffic out of the port
Therefore you have to be careful when you write your acl's that your source and destination are not reversed.
02-01-2007 01:54 PM
just another explanation :
- "into" means packets received from the "cable" attached to the port;
- out means packets to be forwarded towards destinations reachable through the "cable"
02-01-2007 01:58 PM
Does 'IN' and 'OUT' change depending on which direction the packets are flowing. If host A talks to Host B over the interface, does the access list work the same if host B talks to host A?
02-01-2007 02:08 PM
no, not at all. Consider an smtp communication for example :
Host----port a [router]---- Server
when you want to allow the host to send mail to the server, you would write an in acl on port a :
permit tcp host (host ip) host (server ip) eq smtp
on the other hand, to allow the server to reply, you would create an out acl like this :
permit tcp host (server ip) eq smtp host (host ip)
02-01-2007 02:10 PM
sorry, the short answer is YES, it does change...but the example is correct :-)
02-02-2007 06:23 AM
I guess I understand. So you are saying if I create the above ACL, I cannot get responses unless I create the appropriate out ACL? I though the OUT acl was just after the router processed the packet. In other words, I send a packet 'in' and interface, the router decides if it is ok to pass, it does, then NAT's the packet, then it compares it against the 'out' acl. Is this correct?
Can 'in' be both sides of an interface, because technically it can come 'in' both sides.
02-02-2007 07:16 AM
Look at it as "in" from the wire.
02-02-2007 10:27 AM
So what is out?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: