Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
351
Views
9
Helpful
5
Replies

ACL works but i dont understand why

Go to solution
hansvanbreen
Level 1
Level 1

‎01-23-2007 05:46 AM - edited ‎03-03-2019 03:27 PM

All our Cisco routers have been configured by an external consultant some years ago, and now i have been assigned the task to maintain these routers (ios novice...)

Each router has two ACL's, one on the wan interface and one on the lan interface. Its the wan ACL, however short, i dont understand...

interface FastEthernet0/0

description LINK_TO_INTERNET

ip address 80.8.5.90 255.255.255.248

ip access-group 100 in

ip nat outside

ip inspect To-Internet out

duplex auto

speed auto

no cdp enable

!

.

.

access-list 100 remark *** anti-spoofing outside -> router ***

access-list 100 deny ip 10.0.0.0 0.255.255.255 any

access-list 100 deny ip any any log

As i understand from this all traffic would be blocked, but internet access works fine.

Who can fill me in on the missing bits and pieces?

Thanks

Hans

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎01-23-2007 06:32 AM

Hi Hans

This may well be the full access-list. With just an access-list this would do as you would expect and block all traffic.

However this router is running the Firewall feature set (CBAC) by the looks of it. The "ip inspect To-internet out" line is the one that shows this.

So in effect you start off denying anything inbound from outside. if a user on the inside creates a connection out then a dynamic entry is added to the access-list 100 above the deny ip any any line.

Attached is a link for more details on CBAC

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c5.html#wp1002187

HTH

View solution in original post

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to jbrunner007

‎01-23-2007 11:54 PM

Hi

But the access-list also has a deny ip any any in it. So CBAC is the element that allows this access-list to work. Because without CBAC regardless of the IP addresses used in the packets the access-list on the WAN interface would drop ALL packets.

So i would argue to understand how that access-list can deny all traffic which in normal operations without CBAC would drop all traffic as access-lists are not stateful, you have to understand that it is CBAC that allows this to work

Regards

Jon

View solution in original post

0 Helpful
5 Replies 5

Go to solution
jgross
Level 1
Level 1

‎01-23-2007 06:04 AM

Hello Hans,

this is not the complete config, I think that there are more line in access-list 100.

The lines you pasted:

You use 10.X.X.X for your internal network.

This part of the access list denys incomming packets with a source adress of 10.X.X.X.

This means nobody from the outside can come into the network with a 10.X.X.X Source Adress and pretend to be from the insite of the network.

Try this link:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

Bye

Joachim

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎01-23-2007 06:32 AM

Hi Hans

This may well be the full access-list. With just an access-list this would do as you would expect and block all traffic.

However this router is running the Firewall feature set (CBAC) by the looks of it. The "ip inspect To-internet out" line is the one that shows this.

So in effect you start off denying anything inbound from outside. if a user on the inside creates a connection out then a dynamic entry is added to the access-list 100 above the deny ip any any line.

Attached is a link for more details on CBAC

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c5.html#wp1002187

HTH

Go to solution
jbrunner007
Level 1
Level 1
In response to Jon Marshall

‎01-23-2007 09:20 PM

actually you all are forgetting the order of operations;

the packets coming inbound on the "ip nat outside" interface are not yet destined for the internal networks when the ACL is checked.

The acl is checked (anything to 10 denied, the inside 10 networks are still there external ip's at this point ;)

nat is performed. The inside global addresses the inside local addresses use on the "ip nat outside" are natted back to 10.x.x.x

then the packet is routed towards 10.x.x.x

so the ACL works because 10.x.x.x traffic is NEVER the destination on this nat outside interface.

see

http://www.zdnetasia.com/insight/network/0,39044847,39370302,00.htm

FYI CBAC (inspect) would be way down the line on the order of operations and not be an issue here.

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to jbrunner007

‎01-23-2007 11:54 PM

Hi

But the access-list also has a deny ip any any in it. So CBAC is the element that allows this access-list to work. Because without CBAC regardless of the IP addresses used in the packets the access-list on the WAN interface would drop ALL packets.

So i would argue to understand how that access-list can deny all traffic which in normal operations without CBAC would drop all traffic as access-lists are not stateful, you have to understand that it is CBAC that allows this to work

Regards

Jon

0 Helpful

Go to solution
hansvanbreen
Level 1
Level 1
In response to Jon Marshall

‎01-24-2007 02:13 AM

Jon thanks for your explanation, you hit the nail on the head, and thank you Joachim and jbrunner for your contributions.

Your help is much appreciated.

Hans

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card