Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Access list and ip inspect name

Posted on 2008-10-20
Last Modified: 2012-05-05
I have this scenario from the lab below and I am not sure I can make sense out of it. According to the scenario, outside hosts are allowed to initiate sesions w/ the smtp server ( & http server ( located in the dmz. Why? According to the dmzacl access=list, fe0/2 denies ip any any. Can somebody shed some light? Thank you.

interface fe0/0  (outside facing the Internet)
 ip inspect outside in
 ip access-group outsideacl in

interface fe0/1 (inside private interface)
 ip inspect inside in
 ip access-group insideacl in

interface fe0/2 (interface to the DMZ)
 ip access-group dmxacl in

ip inspect name inside tcp
ip inspect name outside tcp

ip access-list extended outsideacl
 permit tcp any host eq 25
 permit tcp any host eq 80
 deny ip any any log

ip access-list extended insideacl
 permit tcp any any eq 80
 permit icmp any any packet-too-big
 deny ip any any log

ip access-list extended dmzacl
 permit icmp any any paclet-too-long
 deny ip any any log

Question by:netdoc01
  • 2
  • 2
LVL 23

Expert Comment

ID: 22764445
interface fe0/2 (interface to the DMZ)
ip access-group dmxacl in
You haven't shown a "dmxacl"   only a "dmzacl"
If you note the "in",  this  ACL only applies to traffic coming into
the router  from the DMZ.

So packets can be freely sent to the DMZ as long as they are allowed in by the ACL and inspection rules on the outside interface.

It's the ACLs on the outside interface that matter for the _inbound_ traffic to initiate a session.

Return traffic would normally be an issue with this set of ACLs.
It should be easy to see how the SYN packet for initiating the session are allowed
to the server.

As for the return traffic:
Normally the  ACK packet servers in the DMZ  will send back... would be dropped by this  dmzacl ACL  (if that's what you bound to fe0/2;  as it doesn't allow any IP traffic).

For just the reason you mentioned.

HOWEVER, the "ip inspect"   statement on the outside interface changes this.
When the SYN packet is accepted, a session is initiated, and the SID may
allow the return traffic.

"ip inspect"  by default enables a function called Firewall ACL bypass  in certain software versions.  The dmzacl  may thus be bypassed for the return traffic.

So long as the session ID still exists  (the inspection session remains active), the traffic should flow in  such configurations



Author Comment

ID: 22764489
I mispelled it. It is dmzacl and not dmxacl. Sorry.

Author Comment

ID: 22770758
"If you note the "in",  this  ACL only applies to traffic coming into
the router  from the DMZ."

I am a bit confused about the inbound traffic. I thought that "in" from the DMZ means the traffic coming in from the Internet (through fe0/0).
LVL 23

Accepted Solution

Mysidia earned 500 total points
ID: 22772636
No, that's not what it means.
To be clear:

interface fe0/2 (interface to the DMZ)
 ip access-group dmzacl in
This statement when applied to the interface fe0/2
deals with traffic that comes "IN"  on the fe0/2  interface.

i.e. traffic a host attached on that interface attempts to send to the router
or to a network on another interface.

ip access-group dmzacl out
Within fe0/2      is the way you would apply an ACL to traffic
the router is asked to send "OUT"  the fe0/2  interface.

(The "OUT" direction deals with traffic  that comes from other interfaces,
including your 'internet facing' interface.)

ACLs applied in the "IN" direction on the  fe0/2    interface
have only an incidental effect on other interfaces.


Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question