• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1076
  • Last Modified:

Access list and ip inspect name

I have this scenario from the lab below and I am not sure I can make sense out of it. According to the scenario, outside hosts are allowed to initiate sesions w/ the smtp server ( & http server ( located in the dmz. Why? According to the dmzacl access=list, fe0/2 denies ip any any. Can somebody shed some light? Thank you.

interface fe0/0  (outside facing the Internet)
 ip inspect outside in
 ip access-group outsideacl in

interface fe0/1 (inside private interface)
 ip inspect inside in
 ip access-group insideacl in

interface fe0/2 (interface to the DMZ)
 ip access-group dmxacl in

ip inspect name inside tcp
ip inspect name outside tcp

ip access-list extended outsideacl
 permit tcp any host eq 25
 permit tcp any host eq 80
 deny ip any any log

ip access-list extended insideacl
 permit tcp any any eq 80
 permit icmp any any packet-too-big
 deny ip any any log

ip access-list extended dmzacl
 permit icmp any any paclet-too-long
 deny ip any any log

  • 2
  • 2
1 Solution
interface fe0/2 (interface to the DMZ)
ip access-group dmxacl in
You haven't shown a "dmxacl"   only a "dmzacl"
If you note the "in",  this  ACL only applies to traffic coming into
the router  from the DMZ.

So packets can be freely sent to the DMZ as long as they are allowed in by the ACL and inspection rules on the outside interface.

It's the ACLs on the outside interface that matter for the _inbound_ traffic to initiate a session.

Return traffic would normally be an issue with this set of ACLs.
It should be easy to see how the SYN packet for initiating the session are allowed
to the server.

As for the return traffic:
Normally the  ACK packet servers in the DMZ  will send back... would be dropped by this  dmzacl ACL  (if that's what you bound to fe0/2;  as it doesn't allow any IP traffic).

For just the reason you mentioned.

HOWEVER, the "ip inspect"   statement on the outside interface changes this.
When the SYN packet is accepted, a session is initiated, and the SID may
allow the return traffic.

"ip inspect"  by default enables a function called Firewall ACL bypass  in certain software versions.  The dmzacl  may thus be bypassed for the return traffic.

So long as the session ID still exists  (the inspection session remains active), the traffic should flow in  such configurations


netdoc01Author Commented:
I mispelled it. It is dmzacl and not dmxacl. Sorry.
netdoc01Author Commented:
"If you note the "in",  this  ACL only applies to traffic coming into
the router  from the DMZ."

I am a bit confused about the inbound traffic. I thought that "in" from the DMZ means the traffic coming in from the Internet (through fe0/0).
No, that's not what it means.
To be clear:

interface fe0/2 (interface to the DMZ)
 ip access-group dmzacl in
This statement when applied to the interface fe0/2
deals with traffic that comes "IN"  on the fe0/2  interface.

i.e. traffic a host attached on that interface attempts to send to the router
or to a network on another interface.

ip access-group dmzacl out
Within fe0/2      is the way you would apply an ACL to traffic
the router is asked to send "OUT"  the fe0/2  interface.

(The "OUT" direction deals with traffic  that comes from other interfaces,
including your 'internet facing' interface.)

ACLs applied in the "IN" direction on the  fe0/2    interface
have only an incidental effect on other interfaces.


Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now