Solved

Access list and ip inspect name

Posted on 2008-10-20
4
1,057 Views
Last Modified: 2012-05-05
I have this scenario from the lab below and I am not sure I can make sense out of it. According to the scenario, outside hosts are allowed to initiate sesions w/ the smtp server (100.1.2.1) & http server (100.1.2.2) located in the dmz. Why? According to the dmzacl access=list, fe0/2 denies ip any any. Can somebody shed some light? Thank you.

interface fe0/0  (outside facing the Internet)
 ip inspect outside in
 ip access-group outsideacl in

interface fe0/1 (inside private interface)
 ip inspect inside in
 ip access-group insideacl in

interface fe0/2 (interface to the DMZ)
 ip access-group dmxacl in

ip inspect name inside tcp
ip inspect name outside tcp

ip access-list extended outsideacl
 permit tcp any host 100.1.2.1 eq 25
 permit tcp any host 100.1.2.2 eq 80
 deny ip any any log

ip access-list extended insideacl
 permit tcp any any eq 80
 permit icmp any any packet-too-big
 deny ip any any log

ip access-list extended dmzacl
 permit icmp any any paclet-too-long
 deny ip any any log

0
Comment
Question by:netdoc01
  • 2
  • 2
4 Comments
 
LVL 23

Expert Comment

by:Mysidia
ID: 22764445
interface fe0/2 (interface to the DMZ)
ip access-group dmxacl in
^^^^^^^^^^^^^^^^^^^
You haven't shown a "dmxacl"   only a "dmzacl"
If you note the "in",  this  ACL only applies to traffic coming into
the router  from the DMZ.

So packets can be freely sent to the DMZ as long as they are allowed in by the ACL and inspection rules on the outside interface.

It's the ACLs on the outside interface that matter for the _inbound_ traffic to initiate a session.

Return traffic would normally be an issue with this set of ACLs.
It should be easy to see how the SYN packet for initiating the session are allowed
to the server.

As for the return traffic:
Normally the  ACK packet servers in the DMZ  will send back... would be dropped by this  dmzacl ACL  (if that's what you bound to fe0/2;  as it doesn't allow any IP traffic).

For just the reason you mentioned.

HOWEVER, the "ip inspect"   statement on the outside interface changes this.
When the SYN packet is accepted, a session is initiated, and the SID may
allow the return traffic.


"ip inspect"  by default enables a function called Firewall ACL bypass  in certain software versions.  The dmzacl  may thus be bypassed for the return traffic.


So long as the session ID still exists  (the inspection session remains active), the traffic should flow in  such configurations

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_aclby.html

 
0
 

Author Comment

by:netdoc01
ID: 22764489
I mispelled it. It is dmzacl and not dmxacl. Sorry.
0
 

Author Comment

by:netdoc01
ID: 22770758
"If you note the "in",  this  ACL only applies to traffic coming into
the router  from the DMZ."

I am a bit confused about the inbound traffic. I thought that "in" from the DMZ means the traffic coming in from the Internet (through fe0/0).
0
 
LVL 23

Accepted Solution

by:
Mysidia earned 500 total points
ID: 22772636
No, that's not what it means.
To be clear:

interface fe0/2 (interface to the DMZ)
 ip access-group dmzacl in
 ^^^^^^^^^^^^^^^^^
This statement when applied to the interface fe0/2
deals with traffic that comes "IN"  on the fe0/2  interface.

i.e. traffic a host attached on that interface attempts to send to the router
or to a network on another interface.


ip access-group dmzacl out
^^^^^^^^^^^^^^^^^^
Within fe0/2      is the way you would apply an ACL to traffic
the router is asked to send "OUT"  the fe0/2  interface.

(The "OUT" direction deals with traffic  that comes from other interfaces,
including your 'internet facing' interface.)

ACLs applied in the "IN" direction on the  fe0/2    interface
have only an incidental effect on other interfaces.

0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question