Access list and ip inspect name

Posted on 2008-10-20
Medium Priority
Last Modified: 2012-05-05
I have this scenario from the lab below and I am not sure I can make sense out of it. According to the scenario, outside hosts are allowed to initiate sesions w/ the smtp server ( & http server ( located in the dmz. Why? According to the dmzacl access=list, fe0/2 denies ip any any. Can somebody shed some light? Thank you.

interface fe0/0  (outside facing the Internet)
 ip inspect outside in
 ip access-group outsideacl in

interface fe0/1 (inside private interface)
 ip inspect inside in
 ip access-group insideacl in

interface fe0/2 (interface to the DMZ)
 ip access-group dmxacl in

ip inspect name inside tcp
ip inspect name outside tcp

ip access-list extended outsideacl
 permit tcp any host eq 25
 permit tcp any host eq 80
 deny ip any any log

ip access-list extended insideacl
 permit tcp any any eq 80
 permit icmp any any packet-too-big
 deny ip any any log

ip access-list extended dmzacl
 permit icmp any any paclet-too-long
 deny ip any any log

Question by:netdoc01
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 23

Expert Comment

ID: 22764445
interface fe0/2 (interface to the DMZ)
ip access-group dmxacl in
You haven't shown a "dmxacl"   only a "dmzacl"
If you note the "in",  this  ACL only applies to traffic coming into
the router  from the DMZ.

So packets can be freely sent to the DMZ as long as they are allowed in by the ACL and inspection rules on the outside interface.

It's the ACLs on the outside interface that matter for the _inbound_ traffic to initiate a session.

Return traffic would normally be an issue with this set of ACLs.
It should be easy to see how the SYN packet for initiating the session are allowed
to the server.

As for the return traffic:
Normally the  ACK packet servers in the DMZ  will send back... would be dropped by this  dmzacl ACL  (if that's what you bound to fe0/2;  as it doesn't allow any IP traffic).

For just the reason you mentioned.

HOWEVER, the "ip inspect"   statement on the outside interface changes this.
When the SYN packet is accepted, a session is initiated, and the SID may
allow the return traffic.

"ip inspect"  by default enables a function called Firewall ACL bypass  in certain software versions.  The dmzacl  may thus be bypassed for the return traffic.

So long as the session ID still exists  (the inspection session remains active), the traffic should flow in  such configurations



Author Comment

ID: 22764489
I mispelled it. It is dmzacl and not dmxacl. Sorry.

Author Comment

ID: 22770758
"If you note the "in",  this  ACL only applies to traffic coming into
the router  from the DMZ."

I am a bit confused about the inbound traffic. I thought that "in" from the DMZ means the traffic coming in from the Internet (through fe0/0).
LVL 23

Accepted Solution

Mysidia earned 2000 total points
ID: 22772636
No, that's not what it means.
To be clear:

interface fe0/2 (interface to the DMZ)
 ip access-group dmzacl in
This statement when applied to the interface fe0/2
deals with traffic that comes "IN"  on the fe0/2  interface.

i.e. traffic a host attached on that interface attempts to send to the router
or to a network on another interface.

ip access-group dmzacl out
Within fe0/2      is the way you would apply an ACL to traffic
the router is asked to send "OUT"  the fe0/2  interface.

(The "OUT" direction deals with traffic  that comes from other interfaces,
including your 'internet facing' interface.)

ACLs applied in the "IN" direction on the  fe0/2    interface
have only an incidental effect on other interfaces.


Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question