[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Application of ACLs on interfaces

Posted on 2007-08-02
5
Medium Priority
?
272 Views
Last Modified: 2010-04-17
When using CIOS 12.3, ACLs (extended) and applying the ACLs to an interface:
interface Ethernet0/0
 remark INSIDE
 ip access-group eACL1 in
 
interface Ethernet0/1
 remark OUTISDE
 ip access-group eACL2 in

How do I know which switch to use, 'in' or 'out'?

On the Inside interface would I want to apply the eACL to the inside of the E0/0 interface thereby checking all traffic leaving my internal network as it crosses the threshold of interface Ethernet0/0?

interface Ethernet0/0
 remark INSIDE
 ip access-group eACL1 in

Or would I check it as it leaves the interface Ethernet0/0 on it's way to interface Ethernet0/1?

interface Ethernet0/0
 remark INSIDE
 ip access-group eACL1 out  


Likewise for the interface Ethernet0/1:

Traffic trying to get in the outside interface Ethernet0/1:

interface Ethernet0/1
 remark OUTISDE
 ip access-group eACL2 in

Is the placement of the eACLs dependent on whether or not one is running the CIOS FIrewall?

Thank you,

Mike
0
Comment
Question by:keatscon
  • 3
  • 2
5 Comments
 
LVL 29

Accepted Solution

by:
Jan Springer earned 375 total points
ID: 19620980
An ACL 'in' on an interface means traffic arriving from outside the box coming in.

An ACL 'out' on an interface means that traffic is leaving the box out that interface.

If you picture yourself as being inside the box, the 'in' and the 'out' are easier to understand.  They are 'in' and 'out' to you (the router).  It's no different than being inside a house and someone comes in or out the front door.  It's relative to where you are located.

Using the Cisco Firewall feature - ACLs behavior relative to the inspection and creation of the access-list is a bit different.
0
 

Author Comment

by:keatscon
ID: 19621083
I am using the CIOS Firewall.

There are two interfaces:
Ethernet0/0 = Inside company (LAN)  
Ethernet0/1 = Outisde company (Internet)  

And each interface has two 'locations' where the ACLs can be applied:
in = on the inside of the interface (inside the box)
out = on the outside of the interface (outside the box)

So if I wanted the ACL to inspect traffic crossing the threshhold of Ethernet0/1, the traffic originating on the Intenet:

interface Ethernet0/1
 remark Outside (Internet)
 ip access-group eACL2 out
 ip inspect ETHERNETIN in  

Connversely if I wanted the ACL to inspect traffic leaving my LAN:

interface Ethernet0/0
 remark INSIDE LAN
 ip access-group eACL1 out

Do I have it right?
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 19621340
For clarification:

'in' means packets arriving into the router.
'out' means packets leaving or exiting the router.

With CBAC, an ACL applied to incoming packets on an interface will be modified on the fly to allow return packets back through.

So:

interface Ethernet0/1
 ip address 192.168.1.1
 ip inspect <inspect rule name> out
 ip access-group 101 in

interface Ethernet0/0
 ip address 10.0.0.1
 ip inspect <inspect rule name> in
 ip access-group 102 out

access-list 101 permit tcp host 172.16.0.1 host 192.168.1.1 eq ssh

You inspect traffic arriving and leaving the firewall.
You only permit inbound SSH connections to your firewall from 172.16.0.1.
All other traffic *except* what is being returned is denied.
Traffic blocked by an access list is not inspected.
0
 

Author Comment

by:keatscon
ID: 19621476
Jesper,

  Am a little confused. On interface Ethernet0/1, would I not have:

  ip inspect <inspect rule name> in  
  ip access-group 101 out

  The goal being to run the ACL against the incoming traffic and then inspecting any traffic with the
ip inspect?


0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 19621815
Inspecting packets leaving the external interface causes CBAC to build temporary ACL entries on the external interface's inbound ACL.

This is the way that I do it and if it makes you feel better, I did confirm that with my Cisco Router Firewall Security book.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question