Basic ACL Question - Outbound Traffic

Basic ACL Question - Outbound Traffic

NewsGroups | Search | Tools
 comp.dcom.sys.cisco  Post an article  get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content  add this group's latest topics to your Google content  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
Basic ACL Question - Outbound Traffic Dan Foxley 04-30-2006
Posted by Dan Foxley on April 30, 2006, 2:18 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Howdy,

On a PIX515 6.3
It is my understnading that Outbound traffic is allowed by default.

This ACL allows outbound traffic, i.e. SMTP to an Internet mail server.

access-list acl_collector permit icmp any any
access-list acl_collector permit ip any any
access-list acl_collector permit tcp 192.168.10.0 255.255.255.0 any eq
ssh
access-group acl_collector in interface collector


This ACL DOES NOT allow outbound traffic, i.e. SMTP to the same
Internet mail server.

access-list acl_collector permit icmp any any
access-list acl_collector permit ip any any
access-list acl_collector permit tcp 192.168.10.0 255.255.255.0 any eq
ssh
access-group acl_collector in interface collector

What am I missing here? If I have this correct then the "ip any any"
rule is OK or should it be set to "ip local_interface_subnet any"?

Thanks,
Dan Foxley


Posted by chris on April 30, 2006, 4:20 am
If you were  Registered and logged in, you could reply and use other advanced thread options

> Howdy,
>
> On a PIX515 6.3
> It is my understnading that Outbound traffic is allowed by default.
>
> This ACL allows outbound traffic, i.e. SMTP to an Internet mail server.
>
> access-list acl_collector permit icmp any any
> access-list acl_collector permit ip any any
> access-list acl_collector permit tcp 192.168.10.0 255.255.255.0 any eq
> ssh
> access-group acl_collector in interface collector
>
>
> This ACL DOES NOT allow outbound traffic, i.e. SMTP to the same
> Internet mail server.
>
> access-list acl_collector permit icmp any any
> access-list acl_collector permit ip any any
> access-list acl_collector permit tcp 192.168.10.0 255.255.255.0 any eq
> ssh
> access-group acl_collector in interface collector
>
> What am I missing here? If I have this correct then the "ip any any"
> rule is OK or should it be set to "ip local_interface_subnet any"?
>
> Thanks,
> Dan Foxley
>

Dan,

Those two ACL's look identical to me. What is supposed to be different?

permit icmp any any
permit ip any any
permit tcp 192.168.10.0 255.255.255.0 any eq ssh
acl_collector in interface collector

Anyway, the 'permit ip any any' will allow that SSH traffic so the ssh line
isn't required. And yes, that will allow all IP traffic so why would you put
that acl on the interface anyway?

Chris.




Posted by danfoxley@gmail.com on April 30, 2006, 3:33 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Oops. It should have been as below. I thought all traffic is allowed
going out a lower security interface by default? These ACL's don't
allow outbound traffic to the Internet. If I do leave "permit IP any
any" what is blocking unwanted traffic? Only the "static" that is in
place?
-------------------------------------------
This ACL DOES NOT allow outbound traffic, i.e. SMTP to the same
Internet mail server.


access-list acl_collector permit icmp any any
access-list acl_collector permit tcp 192.168.10.0 255.255.255.0 any eq
ssh
access-group acl_collector in interface collector
------------------------------------------------------------------------------------
Thanks,
Dan Foxley


Posted by chris on April 30, 2006, 7:13 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

> Oops. It should have been as below. I thought all traffic is allowed
> going out a lower security interface by default? These ACL's don't
> allow outbound traffic to the Internet. If I do leave "permit IP any
> any" what is blocking unwanted traffic? Only the "static" that is in
> place?
> -------------------------------------------
> This ACL DOES NOT allow outbound traffic, i.e. SMTP to the same
> Internet mail server.
>
>
> access-list acl_collector permit icmp any any
> access-list acl_collector permit tcp 192.168.10.0 255.255.255.0 any eq
> ssh
> access-group acl_collector in interface collector
>
------------------------------------------------------------------------------------
> Thanks,
> Dan Foxley
>

Ah, now it makes more sense. As you say, with no acl in place and NAT
configured correctly traffic from a high security interface to a lower one
(eg inside to outside) is permitted. However, once you apply an acl then all
traffic is checked against that acl. So, you have,

permit icmp any any
permit tcp/ssh from 192.168.10.0/24 to any

But, remember that on the end of every acl is a 'deny ip any any'. So, as
you haven't allowed SMTP in the acl then it will be blocked by the implicit
deny all at the end of the acl.

Chris.



Posted by danfoxley@gmail.com on May 1, 2006, 3:23 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Chris,

Awesome. So, If I have NO ACL's on an interface I can get from Higher
to Lower w/o issue (as Long as NAT & Global are configured) - BUT as
soon as I apply ANY ACL to an interface, ALL traffic has to be defined
in an ACL EVEN Higher to Lower - Outbound?

Thanks,
Dan


Similar ThreadsPosted
Control Outbound traffic November 15, 2004, 10:54 am
PIX - Deny outbound traffic March 12, 2005, 1:32 pm
Redirect Outbound SMTP Traffic to Specific Server - 837 and 2621 July 21, 2004, 5:15 pm
PIX radius outbound authentication question November 19, 2006, 3:07 am
Basic IOS question September 6, 2005, 9:03 pm
VRF basic question. September 4, 2006, 12:02 pm
Basic Routing question December 5, 2004, 7:52 am
Cisco Pix 501 basic VPN question February 11, 2005, 5:25 pm
Basic Routing question June 21, 2005, 2:37 pm
Basic VLAN question. June 27, 2005, 4:21 pm

other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com

Contact Us | Privacy Policy
The site map in XML format XML site map