Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Acess-list....traffic back

Hi all,

I put the follow access-list in my router:

router(config)#access-list 101 permit tcp host 192.168.0.1 host 172.16.0.10 eq www

And I've aplyed it on the f0/0 interface, this way:

router(confg-if)ip access-group 101 in

Whit this, I can WWW the host 172.16.0.10. Right.

But, I would like put an access-list on the f0/1(outside) interface to permit host 172.16.0.10 to answer the request.

But, to do that, I must put an access-list permiting 172.16.0.10 to connect to all higher ports 1024....65536...

I mean, I just wanna permit the traffic back, only if the first traffic is permited, like a firewall does.

Is this possible?

Or, is there another way to do that?

Thank you

Tauer

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Acess-list....traffic back

The example in the link is a bit confusing. With CBAC, you have any ACL on the "trusted" side. You create inspection rules, then apply it to the "untrusted" interface with a direction of out. What this does is track connections outbound and dynamically allows the connection back in. CBAC is basically a stateful inpsection engine, just like an ASA firewall.

The confusing part is let's say for example you also host a public website in your network. CBAC has nothing to do with this, so we need to create an ACL for the outside interface to allow web traffic to our webserver. The outside ACL has nothing to do with return traffic when source from the trusted side (when CBAC is used). If you lookat the example, they are only allowing certain types of ICMP from the outside. CBAC allows dynamic "holes" to be opened for return traffic. Any traffic source from the public interface needs to be specifically allowed with an ACL.

Does that help?

4 REPLIES

Re: Acess-list....traffic back

Community Member

Re: Acess-list....traffic back

Hi Collin,

In this example, I got to configure the access-list returns.

I mean, If a inbound access-list is permiting WWW, the traffic returns must be permited too, without an access-list configuration.

Did I mistake something?

Re: Acess-list....traffic back

The example in the link is a bit confusing. With CBAC, you have any ACL on the "trusted" side. You create inspection rules, then apply it to the "untrusted" interface with a direction of out. What this does is track connections outbound and dynamically allows the connection back in. CBAC is basically a stateful inpsection engine, just like an ASA firewall.

The confusing part is let's say for example you also host a public website in your network. CBAC has nothing to do with this, so we need to create an ACL for the outside interface to allow web traffic to our webserver. The outside ACL has nothing to do with return traffic when source from the trusted side (when CBAC is used). If you lookat the example, they are only allowing certain types of ICMP from the outside. CBAC allows dynamic "holes" to be opened for return traffic. Any traffic source from the public interface needs to be specifically allowed with an ACL.

Does that help?

Community Member

Re: Acess-list....traffic back

Yes it does,

just to clarify...

On my first example, lets consider F0/0 the inside interface (trusted network - 192.168.0.0/24) and F0/1 outside interface (untrusted network - 172.16.0.0/24).

If I create an ACL like this:

"access-list 101 permit tcp host 192.168.0.1 host 172.16.0.10 eq www"

and apply it on F0/0: ip access-group 101 in.

And create an ACL like this:

"access-list 102 deny any any" and apply it on F0/1: ip access-group 102 in

Then, I create inspection rules, then apply it to the "untrusted" interface with a direction of out.

So... If the host 192.168.0.1 generate a connection to the 172.16.0.10 on port 80, will be this connection allowed? Even if on the F0/1 there's a ACL deny any any..... ?

Thank you

134
Views
0
Helpful
4
Replies
CreatePlease to create content