From: blodwick (blodwick@columbus.rr.com)
Date: Fri Jun 30 2006 - 16:38:14 ART
One additional tidbit I'd like to add to this string that I found
interesting is on a reflexive acl local traffic is not reflected for
evaluation, but you can explicitly specify to only permit established
TCP sessions inbound by using the established keyword at the end of your
acl statement to provide similar security measures.
Brian L
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
CCIEin2006
Sent: Friday, June 30, 2006 1:21 PM
To: Koen Zeilstra
Cc: ccielab@groupstudy.com
Subject: Re: router bypasses ACL for locally sourced traffic
Good question. I was also wondering that if the filtering decision is
made
after the routing decision then what difference does it make if the
packet
is locally generated?
On 6/30/06, Koen Zeilstra <koen@koenzeilstra.com> wrote:
>
> This is clear. But why is this behaviour?
>
> Is it because there is no routing descision made since there is no
> incoming interface?
>
> -----------------------
> Try to get all of your posthumous medals in advance.
>
> On Fri, 30 Jun 2006, Scott Morris wrote:
>
> | It has to do with the order of operations....
> |
> | Check out:
> |
> |
>
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_
chap
> | ter09186a00804fde4d.html
> |
> | <snip>
> | Applying Access Lists to Interfaces
> |
> | For some protocols, you can apply up to two access lists to an
> interface:
> | one inbound access list and one outbound access list. With other
> protocols,
> | you apply only one access list which checks both inbound and
outbound
> | packets.
> |
> | If the access list is inbound, when the router receives a packet,
the
> Cisco
> | IOS software checks the access list's criteria statements for a
match.
> If
> | the packet is permitted, the software continues to process the
packet.
> If
> | the packet is denied, the software discards the packet.
> |
> | If the access list is outbound, after receiving and routing a packet
to
> the
> | outbound interface, the software checks the access list's criteria
> | statements for a match. If the packet is permitted, the software
> transmits
> | the packet. If the packet is denied, the software discards the
packet.
> |
> | Note Access lists that are applied to interfaces do not filter
traffic
> that
> | originates from that router.
> | </snip>
> |
> | HTH,
> |
> |
> | Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
> JNCIE
> | #153, CISSP, et al.
> | CCSI/JNCI
> | IPExpert CCIE Program Manager
> | IPExpert Sr. Technical Instructor
> | smorris@ipexpert.com
> | http://www.ipexpert.com
> |
> |
> |
> | -----Original Message-----
> | From: nobody@groupstudy.com [mailto:nobody@groupstudy.com ] On
Behalf Of
> Koen
> | Zeilstra
> | Sent: Friday, June 30, 2006 8:40 AM
> | To: ccielab@groupstudy.com
> | Subject: router bypasses ACL for locally sourced traffic
> |
> | Hi Group,
> |
> | Maybe this has been posted before, however I could not find any
> reference.
> | Perhaps other wording is used to describe this.
> |
> | What would is the explanation for a router bypassing ACL's applied
in
> the
> | outgoing direction for locally source traffic?
> |
> | For example:
> |
> |
> | (R1)e0/0------------e0/0(R2)
> |
> |
> | R1
> |
> | int e0/0
> | ip access-group ACL out
> | !
> |
> | ip access-list ext ACL
> | deny tcp any any eq telnet
> | permit ip any any
> | !
> |
> | Telnetting from R1 to R2 works fine even with the ACL denying
outgoing
> | packets destined for port 23.
> |
> | thanks,
> |
> | Koen
> |
> | -----------------------
> | You will feel hungry again in another hour.
> |
> |
This archive was generated by hypermail 2.1.4 : Sat Jul 01 2006 - 07:57:34 ART