Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

it
New Member

Newbie: Outbound ACL is not enforced

Hi, I have a Cisco 828 GSHDSL Router. This is not in production. At the moment i am trying to implement an Outbound ACL to interface ethernet 0. I have successfully applied an inbound access-list which i can see works correctly (also confirmed via syslog server). I want to implement an outbound ACL on the interface. here is the relevant config.

interface Ethernet0

description Connect to Internal LAN

ip address 1.1.1.1 255.255.255.0

ip access-group 101 out

!

access-list 101 deny ip any any log

However i can still reach anything and everything. ie ping telnet etc etc. Nothing shows up in the syslog server.

Please help...

Thank you

3 REPLIES

Re: Newbie: Outbound ACL is not enforced

HI

U have applied in the wrong direction.try applying it as an inbound list.as u r traffic is inbound to u r ethernet interface.

ip access-group 101 in

Thanks

Mahmood

Hall of Fame Super Silver

Re: Newbie: Outbound ACL is not enforced

Mahmood

The original post says that he has implemented an inbound access list and it worked properly. He is now trying to do an outbound access list which is not doing what he expected. Telling him to apply it inbound is not a solution to his problem.

What he is experiencing is a fundamental (but frequently not so well understood) behavior of access lists: an outbound access list on an interface will not filter packets that originated in the router itself. The outbound access list will filter packets that come from outside the router and are forwarded out the interface (transit traffic through the router). But the outbound access list will not filter things (pings, telnets, etc) that are done directly on the router.

So if you want to test the outbound access list the original poster will need to connect a PC (or some kind of end station) to another interface on the router and generate traffic that the router will forward out this interface. Then he will see the access list blocking packets.

HTH

Rick

Re: Newbie: Outbound ACL is not enforced

HI Rick

Thanks for u r clarification.I agree with u.I think i have not properly understood the question.

Thanks

Mahmood

113
Views
0
Helpful
3
Replies
CreatePlease login to create content