Solved: Acess-list....traffic back

Tauer Drumond · ‎04-02-2009

Hi all,

I put the follow access-list in my router:

router(config)#access-list 101 permit tcp host 192.168.0.1 host 172.16.0.10 eq www

And I've aplyed it on the f0/0 interface, this way:

router(confg-if)ip access-group 101 in

Whit this, I can WWW the host 172.16.0.10. Right.

But, I would like put an access-list on the f0/1(outside) interface to permit host 172.16.0.10 to answer the request.

But, to do that, I must put an access-list permiting 172.16.0.10 to connect to all higher ports 1024....65536...

I mean, I just wanna permit the traffic back, only if the first traffic is permited, like a firewall does.

Is this possible?

Or, is there another way to do that?

Thank you

Tauer

Collin Clark · ‎04-02-2009

The example in the link is a bit confusing. With CBAC, you have any ACL on the "trusted" side. You create inspection rules, then apply it to the "untrusted" interface with a direction of out. What this does is track connections outbound and dynamically allows the connection back in. CBAC is basically a stateful inpsection engine, just like an ASA firewall.

The confusing part is let's say for example you also host a public website in your network. CBAC has nothing to do with this, so we need to create an ACL for the outside interface to allow web traffic to our webserver. The outside ACL has nothing to do with return traffic when source from the trusted side (when CBAC is used). If you lookat the example, they are only allowing certain types of ICMP from the outside. CBAC allows dynamic "holes" to be opened for return traffic. Any traffic source from the public interface needs to be specifically allowed with an ACL.

Does that help?

View solution in original post

Collin Clark · ‎04-02-2009

You bet there is!

https://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml

Hope this helps.

Tauer Drumond · ‎04-02-2009

Hi Collin,

In this example, I got to configure the access-list returns.

I mean, If a inbound access-list is permiting WWW, the traffic returns must be permited too, without an access-list configuration.

Did I mistake something?

Collin Clark · ‎04-02-2009

The example in the link is a bit confusing. With CBAC, you have any ACL on the "trusted" side. You create inspection rules, then apply it to the "untrusted" interface with a direction of out. What this does is track connections outbound and dynamically allows the connection back in. CBAC is basically a stateful inpsection engine, just like an ASA firewall.

The confusing part is let's say for example you also host a public website in your network. CBAC has nothing to do with this, so we need to create an ACL for the outside interface to allow web traffic to our webserver. The outside ACL has nothing to do with return traffic when source from the trusted side (when CBAC is used). If you lookat the example, they are only allowing certain types of ICMP from the outside. CBAC allows dynamic "holes" to be opened for return traffic. Any traffic source from the public interface needs to be specifically allowed with an ACL.

Does that help?

Tauer Drumond · ‎04-02-2009

Yes it does,

just to clarify...

On my first example, lets consider F0/0 the inside interface (trusted network - 192.168.0.0/24) and F0/1 outside interface (untrusted network - 172.16.0.0/24).

If I create an ACL like this:

"access-list 101 permit tcp host 192.168.0.1 host 172.16.0.10 eq www"

and apply it on F0/0: ip access-group 101 in.

And create an ACL like this:

"access-list 102 deny any any" and apply it on F0/1: ip access-group 102 in

Then, I create inspection rules, then apply it to the "untrusted" interface with a direction of out.

So... If the host 192.168.0.1 generate a connection to the 172.16.0.10 on port 80, will be this connection allowed? Even if on the F0/1 there's a ACL deny any any..... ?

Thank you