Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACL works but i dont understand why

All our Cisco routers have been configured by an external consultant some years ago, and now i have been assigned the task to maintain these routers (ios novice...)

Each router has two ACL's, one on the wan interface and one on the lan interface. Its the wan ACL, however short, i dont understand...

interface FastEthernet0/0

description LINK_TO_INTERNET

ip address 80.8.5.90 255.255.255.248

ip access-group 100 in

ip nat outside

ip inspect To-Internet out

duplex auto

speed auto

no cdp enable

!

.

.

access-list 100 remark *** anti-spoofing outside -> router ***

access-list 100 deny ip 10.0.0.0 0.255.255.255 any

access-list 100 deny ip any any log

As i understand from this all traffic would be blocked, but internet access works fine.

Who can fill me in on the missing bits and pieces?

Thanks

Hans

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Blue

Re: ACL works but i dont understand why

Hi Hans

This may well be the full access-list. With just an access-list this would do as you would expect and block all traffic.

However this router is running the Firewall feature set (CBAC) by the looks of it. The "ip inspect To-internet out" line is the one that shows this.

So in effect you start off denying anything inbound from outside. if a user on the inside creates a connection out then a dynamic entry is added to the access-list 100 above the deny ip any any line.

Attached is a link for more details on CBAC

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c5.html#wp1002187

HTH

Hall of Fame Super Blue

Re: ACL works but i dont understand why

Hi

But the access-list also has a deny ip any any in it. So CBAC is the element that allows this access-list to work. Because without CBAC regardless of the IP addresses used in the packets the access-list on the WAN interface would drop ALL packets.

So i would argue to understand how that access-list can deny all traffic which in normal operations without CBAC would drop all traffic as access-lists are not stateful, you have to understand that it is CBAC that allows this to work

Regards

Jon

5 REPLIES
New Member

Re: ACL works but i dont understand why

Hello Hans,

this is not the complete config, I think that there are more line in access-list 100.

The lines you pasted:

You use 10.X.X.X for your internal network.

This part of the access list denys incomming packets with a source adress of 10.X.X.X.

This means nobody from the outside can come into the network with a 10.X.X.X Source Adress and pretend to be from the insite of the network.

Try this link:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

Bye

Joachim

Hall of Fame Super Blue

Re: ACL works but i dont understand why

Hi Hans

This may well be the full access-list. With just an access-list this would do as you would expect and block all traffic.

However this router is running the Firewall feature set (CBAC) by the looks of it. The "ip inspect To-internet out" line is the one that shows this.

So in effect you start off denying anything inbound from outside. if a user on the inside creates a connection out then a dynamic entry is added to the access-list 100 above the deny ip any any line.

Attached is a link for more details on CBAC

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c5.html#wp1002187

HTH

New Member

Re: ACL works but i dont understand why

actually you all are forgetting the order of operations;

the packets coming inbound on the "ip nat outside" interface are not yet destined for the internal networks when the ACL is checked.

The acl is checked (anything to 10 denied, the inside 10 networks are still there external ip's at this point ;)

nat is performed. The inside global addresses the inside local addresses use on the "ip nat outside" are natted back to 10.x.x.x

then the packet is routed towards 10.x.x.x

so the ACL works because 10.x.x.x traffic is NEVER the destination on this nat outside interface.

see

http://www.zdnetasia.com/insight/network/0,39044847,39370302,00.htm

FYI CBAC (inspect) would be way down the line on the order of operations and not be an issue here.

Hall of Fame Super Blue

Re: ACL works but i dont understand why

Hi

But the access-list also has a deny ip any any in it. So CBAC is the element that allows this access-list to work. Because without CBAC regardless of the IP addresses used in the packets the access-list on the WAN interface would drop ALL packets.

So i would argue to understand how that access-list can deny all traffic which in normal operations without CBAC would drop all traffic as access-lists are not stateful, you have to understand that it is CBAC that allows this to work

Regards

Jon

New Member

Re: ACL works but i dont understand why

Jon thanks for your explanation, you hit the nail on the head, and thank you Joachim and jbrunner for your contributions.

Your help is much appreciated.

Hans

130
Views
9
Helpful
5
Replies
CreatePlease to create content