Solved

Access list and ip inspect name

Posted on 2008-10-20
4
1,053 Views
Last Modified: 2012-05-05
I have this scenario from the lab below and I am not sure I can make sense out of it. According to the scenario, outside hosts are allowed to initiate sesions w/ the smtp server (100.1.2.1) & http server (100.1.2.2) located in the dmz. Why? According to the dmzacl access=list, fe0/2 denies ip any any. Can somebody shed some light? Thank you.

interface fe0/0  (outside facing the Internet)
 ip inspect outside in
 ip access-group outsideacl in

interface fe0/1 (inside private interface)
 ip inspect inside in
 ip access-group insideacl in

interface fe0/2 (interface to the DMZ)
 ip access-group dmxacl in

ip inspect name inside tcp
ip inspect name outside tcp

ip access-list extended outsideacl
 permit tcp any host 100.1.2.1 eq 25
 permit tcp any host 100.1.2.2 eq 80
 deny ip any any log

ip access-list extended insideacl
 permit tcp any any eq 80
 permit icmp any any packet-too-big
 deny ip any any log

ip access-list extended dmzacl
 permit icmp any any paclet-too-long
 deny ip any any log

0
Comment
Question by:netdoc01
  • 2
  • 2
4 Comments
 
LVL 23

Expert Comment

by:Mysidia
ID: 22764445
interface fe0/2 (interface to the DMZ)
ip access-group dmxacl in
^^^^^^^^^^^^^^^^^^^
You haven't shown a "dmxacl"   only a "dmzacl"
If you note the "in",  this  ACL only applies to traffic coming into
the router  from the DMZ.

So packets can be freely sent to the DMZ as long as they are allowed in by the ACL and inspection rules on the outside interface.

It's the ACLs on the outside interface that matter for the _inbound_ traffic to initiate a session.

Return traffic would normally be an issue with this set of ACLs.
It should be easy to see how the SYN packet for initiating the session are allowed
to the server.

As for the return traffic:
Normally the  ACK packet servers in the DMZ  will send back... would be dropped by this  dmzacl ACL  (if that's what you bound to fe0/2;  as it doesn't allow any IP traffic).

For just the reason you mentioned.

HOWEVER, the "ip inspect"   statement on the outside interface changes this.
When the SYN packet is accepted, a session is initiated, and the SID may
allow the return traffic.


"ip inspect"  by default enables a function called Firewall ACL bypass  in certain software versions.  The dmzacl  may thus be bypassed for the return traffic.


So long as the session ID still exists  (the inspection session remains active), the traffic should flow in  such configurations

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_aclby.html

 
0
 

Author Comment

by:netdoc01
ID: 22764489
I mispelled it. It is dmzacl and not dmxacl. Sorry.
0
 

Author Comment

by:netdoc01
ID: 22770758
"If you note the "in",  this  ACL only applies to traffic coming into
the router  from the DMZ."

I am a bit confused about the inbound traffic. I thought that "in" from the DMZ means the traffic coming in from the Internet (through fe0/0).
0
 
LVL 23

Accepted Solution

by:
Mysidia earned 500 total points
ID: 22772636
No, that's not what it means.
To be clear:

interface fe0/2 (interface to the DMZ)
 ip access-group dmzacl in
 ^^^^^^^^^^^^^^^^^
This statement when applied to the interface fe0/2
deals with traffic that comes "IN"  on the fe0/2  interface.

i.e. traffic a host attached on that interface attempts to send to the router
or to a network on another interface.


ip access-group dmzacl out
^^^^^^^^^^^^^^^^^^
Within fe0/2      is the way you would apply an ACL to traffic
the router is asked to send "OUT"  the fe0/2  interface.

(The "OUT" direction deals with traffic  that comes from other interfaces,
including your 'internet facing' interface.)

ACLs applied in the "IN" direction on the  fe0/2    interface
have only an incidental effect on other interfaces.

0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now