|
|
| worrywarm 2004-02-27, 11:12 pm |
| The following access list was applied outbound on the E0 interface connected to the 192.168.1.8/29 LAN:
access-list 123 deny tcp 192.168.1.8 0.0.0.7 eq 20 any
access-list 123 deny tcp 192.168.1.8 0.0.0.7 eq 21 any
access-list 123 permit IP any any
The result should be all the traffic allowed to enter/exit e0.
But if it's applied inbound of the e0, all the ftp traffic entering e0 should be blocked.
am I right?
anyone can confirm?
Thank you very much! | |
| steeda 2004-02-28, 1:18 am |
| Correct syntax:
access-list 123 deny tcp 192.168.1.8 0.0.0.7 any eq 20
access-list 123 deny tcp 192.168.1.8 0.0.0.7 any eq 21
access-list 123 permit IP any any
If applied outbound nothing will happen, as FTP connections with a source of 192.168.1.8/29 won't be egressing that interace ever since it is the local subnet.
If applied inbound no hosts on 192.168.1.8/29 will be able to initiate FTP sessions to servers on remote networks.
Kind of a screwed question, tried to trick you. | |
| Boulware5 2004-02-28, 1:21 am |
| I'm still a CISCO n00b so I may be wrong, but..
Yeah it looks like you are right. Since it's inbound, FTP traffic coming in should be blocked. If it's applied outbound (ip access-group 1 out), then FTP traffic should be blocked from leaving that network. So anotherwards, people wouldn't be able to use FTP unless it's local within that network.
Can someone confirm? | |
| Boulware5 2004-02-28, 1:24 am |
| ahh steeda..I thought it was the other way around.  | |
| steeda 2004-02-28, 1:30 am |
| Outbound would not block FTP traffic from "leaving" the local network. Outbound ACL's affect packets egressing an interface. Outbound ACL's affect packets that have already been routed. An FTP session initiation originating from a host on the local network entering E0 has not been routed, and will not be affected by an outbound ACL applied to E0.
Think of ingress and egress instead of inbound and outbound.
Say that router had a T1 connection on S0. If you applied that same ACL with "ip access-group 123 out" onto S0, hosts on the 192 network couldn't initiate FTP sessions to remote hosts provided S0 was the only other active interface on the router. The router would route the packets to S0 after INGRESSING on E0, but S0's applied ACL would sh!tcan them before they EGRESSED S0 onto the next hop. | |
| Boulware5 2004-02-28, 1:38 am |
| quote:
Originally posted by steeda
Outbound would not block FTP traffic from "leaving" the local network. Outbound ACL's affect packets egressing an interface. Outbound ACL's affect packets that have already been routed. An FTP session initiation originating from a host on the local network entering E0 has not been routed, and will not be affected by an outbound ACL applied to E0.
Think of ingress and egress instead of inbound and outbound.
Say that router had a T1 connection on S0. If you applied that same ACL with "ip access-group 123 out" onto S0, hosts on the 192 network couldn't initiate FTP sessions to remote hosts provided S0 was the only other active interface on the router. The router would route the packets to S0 after INGRESSING on E0, but S0's applied ACL would sh!tcan them before they EGRESSED S0 onto the next hop.
Never seen the terms egressed and ingress. One of my books uses the example of "the man in the middle" of the router to explain this. You would think outbound is leaving the router and inbound is coming into the router, but I guess that is too simple for cisco.  | |
| steeda 2004-02-28, 1:45 am |
| Outbound is leaving. Inbound is coming in.
But you said:
"If it's applied outbound (ip access-group 1 out), then FTP traffic should be blocked from leaving that network."
which is wrong. You were thinking an outbound access-list on an interface would prevent packets coming INTO it from leaving the network. They are inbound and thus not affected by outbound ACL's. | |
| Boulware5 2004-02-28, 1:46 am |
| I have a lot of studying to do.  | |
| steeda 2004-02-28, 1:48 am |
| I'm sorry, maybe I am not the best at explaining concepts :P | |
| worrywarm 2004-02-28, 11:03 am |
| good conversation! I'm clear now.
Thank you guys!
Boulware5, don't forget that you have many companies here  | |
| dmaftei 2004-02-28, 11:04 am |
| quote:
Originally posted by steeda
Outbound ACL's affect packets that have already been routed.
Does an outbound ACL apply to packets that originate from the router too? I used to know this, but I forgot it... | |
| worrywarm 2004-02-28, 11:34 am |
| quote:
Originally posted by dmaftei
Does an outbound ACL apply to packets that originate from the router too? I used to know this, but I forgot it...
NO, it doesn't affect the packets generated from the router itself. | |
| steeda 2004-02-28, 1:41 pm |
| ALC's can though. ACL's are used in distribute lists too, etc, to affect route updates and the like. ie, maybe we don't want a specific route advertised out S0, but we want all the others to be. |
|
|
|