Re: ACL and its direction does it affect inbound and outbound tr

zillah2004 · ‎02-02-2006

If I applied the ACL below as the inbound on the interface e0/0 :

RA#config ter

RA(config-t)#access-list 10 permit 172.16.0.0

RA#(config-t)#interface fastethernet 0/0

RA(config-if)#ip access-group 10 in

Implicitly every thing will be denied,,,but does that affect an outbound traffic as well (I knew if I am sending an outbound {say A} traffic, I should expect response{Say B} to that outbound {A})?

But my question if I do not care about receiving the response (B,inbound),,,does the outbound {A} still will be able to the leave the router RA?

ankurbhasin · ‎02-02-2006

Hi Zillah,

A simple way of thinking is if any traffic hits the fa0/0 interface on your router from your lan it will be checked first before moving out of the interface.

But if any traffic is coming from different interface for suppose int fa0/1 towards your fa0/0 interface it will not be checked.

HTH

Ankur

zillah2004 · ‎02-03-2006

My understanding to what you have been explaining that the outbound traffic in my case will still leave the router RA ,,,Am I right ?

ankurbhasin · ‎02-03-2006

Hi Zillah,

If suppose u r trying to access any thing outside your network lets say yahoo.com and from your lan and it reaches the default gateway which is your lan interface fa0/0 it will be denied.

Any traffic other then what you have allowed will be denied when it hits the fa0/0 from lan to outside world but any traffic coming from outside will be allowed.

HTH, Please rate all post

Ankur

zillah2004 · ‎02-03-2006

Thanks Ankur

I have got another scenario from Internetwork Expert Lab to stop DoS attack:

{{A remote site with one connection to the

rest of the network.

Normally to prevent spoofed IP addresses from being sent by the remote site, an access-list is created to only permit packets with the remote site’s network as the source IP address.

This access-list is applied inbound on the main site’s router}}.

Let us put it as example suppose a remote site has a network address 140.16.0.0/16

Main router called CentralR,,,serial interface S0/0,,,then the configuration is :

access-list 1 permit 140.16.0.0 0.0.255.255

ip access-group 1 in----we implemented on s0/0.

Explaination:

1- If the direction of the packets from remote site (140.16.0.0) towards the main router (traffic inbound), route will accept (ACL permit) the genuine source ip address and spoofed source ip address as well, because router can not distinguish between them,,,,Am I right ?

2- Since the router can not deny the outgoing flow (outbound), because ACL has been applied for the inbound traffic only,,,,how can I reduce the impact of DoS attack ?

ankurbhasin · ‎02-03-2006

Hi Zillah,

1) Answer to your first question is YES as genuine source ip address and spoofed source ip address both will be allowed.

2) Though I am not a security guy still I rmember my security friends used to talk about some command as

ip verify unicast reverse-path

Check the link for more details

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hsec_r/sec_i2h.htm#wp1147391

Usage Guidelines

Use the ip verify unicast reverse-path interface command to mitigate problems caused by malformed or forged (spoofed) IP source addresses that are received by a router. Malformed or forged source addresses can indicate denial of service (DoS) attacks on the basis of source IP address spoofing.

But this only worls if you have CEF enabled on the router.

HTH, pease rate all post.

Ankur

ACL and its direction does it affect inbound and outbound traffic