RE: router bypasses ACL for locally sourced traffic

From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Fri Jun 30 2006 - 19:35:13 ART

• Next message: Brian McGahan: "RE: Multicast question"
• Previous message: Brian McGahan: "RE: advertising NAT pool in to BGP"
• Maybe in reply to: Koen Zeilstra: "router bypasses ACL for locally sourced traffic"
• Next in thread: blodwick: "RE: router bypasses ACL for locally sourced traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

You can force it to be reflected by policy routing it and making it
appear as transit traffic to the router:

http://www.groupstudy.com/archives/ccielab/200311/msg01170.html

Either that or you need to statically permit inbound all traffic
destined to the local router that is necessary (routing protocols, icmp
echo-reply, traceroute replies, etc.)

HTH,

Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> blodwick
> Sent: Friday, June 30, 2006 2:38 PM
> To: 'CCIEin2006'; 'Koen Zeilstra'
> Cc: ccielab@groupstudy.com
> Subject: RE: router bypasses ACL for locally sourced traffic
>
> One additional tidbit I'd like to add to this string that I found
> interesting is on a reflexive acl local traffic is not reflected for
> evaluation, but you can explicitly specify to only permit established
> TCP sessions inbound by using the established keyword at the end of
your
> acl statement to provide similar security measures.
>
> Brian L
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> CCIEin2006
> Sent: Friday, June 30, 2006 1:21 PM
> To: Koen Zeilstra
> Cc: ccielab@groupstudy.com
> Subject: Re: router bypasses ACL for locally sourced traffic
>
> Good question. I was also wondering that if the filtering decision is
> made
> after the routing decision then what difference does it make if the
> packet
> is locally generated?
>
> On 6/30/06, Koen Zeilstra <koen@koenzeilstra.com> wrote:
> >
> > This is clear. But why is this behaviour?
> >
> > Is it because there is no routing descision made since there is no
> > incoming interface?
> >
> > -----------------------
> > Try to get all of your posthumous medals in advance.
> >
> > On Fri, 30 Jun 2006, Scott Morris wrote:
> >
> > | It has to do with the order of operations....
> > |
> > | Check out:
> > |
> > |
> >
>
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_
> chap
> > | ter09186a00804fde4d.html
> > |
> > | <snip>
> > | Applying Access Lists to Interfaces
> > |
> > | For some protocols, you can apply up to two access lists to an
> > interface:
> > | one inbound access list and one outbound access list. With other
> > protocols,
> > | you apply only one access list which checks both inbound and
> outbound
> > | packets.
> > |
> > | If the access list is inbound, when the router receives a packet,
> the
> > Cisco
> > | IOS software checks the access list's criteria statements for a
> match.
> > If
> > | the packet is permitted, the software continues to process the
> packet.
> > If
> > | the packet is denied, the software discards the packet.
> > |
> > | If the access list is outbound, after receiving and routing a
packet
> to
> > the
> > | outbound interface, the software checks the access list's criteria
> > | statements for a match. If the packet is permitted, the software
> > transmits
> > | the packet. If the packet is denied, the software discards the
> packet.
> > |
> > | Note Access lists that are applied to interfaces do not filter
> traffic
> > that
> > | originates from that router.
> > | </snip>
> > |
> > | HTH,
> > |
> > |
> > | Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider)
#4713,
> > JNCIE
> > | #153, CISSP, et al.
> > | CCSI/JNCI
> > | IPExpert CCIE Program Manager
> > | IPExpert Sr. Technical Instructor
> > | smorris@ipexpert.com
> > | http://www.ipexpert.com
> > |
> > |
> > |
> > | -----Original Message-----
> > | From: nobody@groupstudy.com [mailto:nobody@groupstudy.com ] On
> Behalf Of
> > Koen
> > | Zeilstra
> > | Sent: Friday, June 30, 2006 8:40 AM
> > | To: ccielab@groupstudy.com
> > | Subject: router bypasses ACL for locally sourced traffic
> > |
> > | Hi Group,
> > |
> > | Maybe this has been posted before, however I could not find any
> > reference.
> > | Perhaps other wording is used to describe this.
> > |
> > | What would is the explanation for a router bypassing ACL's applied
> in
> > the
> > | outgoing direction for locally source traffic?
> > |
> > | For example:
> > |
> > |
> > | (R1)e0/0------------e0/0(R2)
> > |
> > |
> > | R1
> > |
> > | int e0/0
> > | ip access-group ACL out
> > | !
> > |
> > | ip access-list ext ACL
> > | deny tcp any any eq telnet
> > | permit ip any any
> > | !
> > |
> > | Telnetting from R1 to R2 works fine even with the ACL denying
> outgoing
> > | packets destined for port 23.
> > |
> > | thanks,
> > |
> > | Koen
> > |
> > | -----------------------
> > | You will feel hungry again in another hour.
> > |
> > |
>

• Next message: Brian McGahan: "RE: Multicast question"
• Previous message: Brian McGahan: "RE: advertising NAT pool in to BGP"
• Maybe in reply to: Koen Zeilstra: "router bypasses ACL for locally sourced traffic"
• Next in thread: blodwick: "RE: router bypasses ACL for locally sourced traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Jul 01 2006 - 07:57:34 ART