From: anthony.sequeira@thomson.com
Date: Fri Jun 30 2006 - 09:58:33 ART
This is from the 12.2 documentation on how an outbound Access List
functions (I provided the link below)....
"If the access list is outbound, after receiving and routing a packet to
the outbound interface, the software checks the access list's criteria
statements for a match. If the packet is permitted, the software
transmits the packet. If the packet is denied, the software discards the
packet."
Please note that the packet must be received by the router and routed to
the outbound interface. Note this never happens with locally originated
traffic.
The simplest way to control Telnet access with an access list is to use
the access-class command in line configuration mode.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/
fsecur_c/ftrafwl/scfacls.htm
Anthony J Sequeira
CCIE #15626
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Koen Zeilstra
Sent: Friday, June 30, 2006 8:40 AM
To: ccielab@groupstudy.com
Subject: router bypasses ACL for locally sourced traffic
Hi Group,
Maybe this has been posted before, however I could not find any
reference.
Perhaps other wording is used to describe this.
What would is the explanation for a router bypassing ACL's applied in
the
outgoing direction for locally source traffic?
For example:
(R1)e0/0------------e0/0(R2)
R1
int e0/0
ip access-group ACL out
!
ip access-list ext ACL
deny tcp any any eq telnet
permit ip any any
!
Telnetting from R1 to R2 works fine even with the ACL denying outgoing
packets destined for port 23.
thanks,
Koen
-----------------------
You will feel hungry again in another hour.
This archive was generated by hypermail 2.1.4 : Sat Jul 01 2006 - 07:57:34 ART