Skip navigation
Cisco Learning Home > Certifications > Security > Firewall Security Specialist > Discussions

_Communities

25340 Views 13 Replies Latest reply: Jul 24, 2013 4:58 PM by Terry RSS

Currently Being Moderated

Interface Inbound Outbound ACL Rules

Mar 25, 2011 2:47 AM

Steve 7 posts since
Feb 23, 2011

Hi All,

 

I'm trying to understand the inbound & outbound of the interface

 

If i want to create a ACL for a server (10.10.10.10) in the "DMZ" to access one of the webserver (20.20.20.20) in the "Inside" interface

 

After reading so much from the internet, I'm confuse with the inbound and outbound of each interface.

 

Looks like i can do with either of the following four options for the above mentioned access

1) access-list DMZ_Inbound permit tcp host 10.10.10.10 host 20.20.20.20 eq www (acess-group DMZ_Inbound in interface DMZ)

2) access-list DMZ_Outbound permit tcp host 10.10.10.10 host 20.20.20.20 eq www (acess-group DMZ_Outbound out interface DMZ)

3) access-list Inside_Inbound permit tcp host 20.20.20.20 host 10.10.10.10 eq www (acess-group Inside_Inbound in interface Inside)

4) access-list Inside_Outbound permit tcp host 20.20.20.20 host 10.10.10.10 eq www (acess-group Inside_Outbound out interface Inside)

 

Appreciate all of your adivce

  • Scott Morris - CCDE/4xCCIE/2xJNCIE 8,396 posts since
    Oct 7, 2008
    Currently Being Moderated
    1. Mar 25, 2011 10:22 PM (in response to Steve)
    Re: Interface Inbound Outbound ACL Rules

    Visualize yourself sitting on the router/firewall.  As a packet come IN to you from a device on an attached interface, that would trigger the INBOUND ACL.

     

    As you are going to route/move a packet OUT an interface towards something else, that would be an OUTBOUND interface.

     

    As you have traffic going from your inside to dmz interface and back again, you'll notice that the same packet could be affected in two places for each direction.

     

    An INBOUND acl on the inside interface can filter the same as an OUTBOUND acl on the dmz interface.  For the return traffic, an INBOUND acl on the dmz interface can filter the same as an OUTBOUND acl on the inside interface.

     

    You'll just need to pay further attention to what your source vs. destination addresses and ports will be depending on what you put where.

     

    Be the router!

     

    Scott

  • Keith Barker - CCIE RS/Security, CISSP 5,351 posts since
    Jul 3, 2009

    I love it, and agree with it.

     

    "Be the router,  (pause)  Ohhhhmmmmmmmmmmmmm"

     

    Great analogy.    I visualize this as a 40 foot giant round hockey puck router icon with multiple interfaces with Cat6 cables attached going out in all directions, and I am sitting on the very center of this giant hockey puck.   When a packet is heading towards me, (like a fireball of light, riding the wire), from some remote destination coming toward me, it is inbound.

     

    When sending a fireball (packet) out of an interface towards some remote destination, and I can see it moving away from me over the wire, that would be outbound.

     

    Then I picture an ACL, applied as a filter to the interface, as a bouncer/bodyguard standing next to that specific interface, that checks the list to see if the packet is permitted (inbound if the ACL is applied inbound, or outbound if the ACL is applied outbound).    Remember that the ACLs applied to interfaces applied outbound only affect transit traffic through the router, and not traffic that the router is sourcing on its own (like a routing update or a outbound telnet session that begins at the router).

     

    Be the router. 

     

    Thanks, Scott!

  • Scott Morris - CCDE/4xCCIE/2xJNCIE 8,396 posts since
    Oct 7, 2008

    You watched Tron recently, didn't you?  

  • Keith Barker - CCIE RS/Security, CISSP 5,351 posts since
    Jul 3, 2009

    Who told! 

  • Paul Stewart  -  CCIE Security, CCSI 6,971 posts since
    Jul 18, 2008
    Currently Being Moderated
    6. Mar 27, 2011 6:52 PM (in response to Steve)
    Re: Interface Inbound Outbound ACL Rules

    Since you are talking about the ASA, you never need to create an ACL for return traffic.  Well I shouldn't say never, but that is the general rule.  The ASA appliance uses an algorithm called the Adaptive Stateful Algorithm (ASA for short) that looks at traffic in one direction, creates a session and allows the return traffic.  When creating acl's, the only entries you need are for the initiating direction.  Traffic from a higher to a lower security interface does not need an acl.  However, if you attach an acl, it does still have an implicit deny at the end.  So just keep that in mind. 

  • Keith Barker - CCIE RS/Security, CISSP 5,351 posts since
    Jul 3, 2009
    Currently Being Moderated
    8. Mar 27, 2011 9:42 PM (in response to Steve)
    Re: Interface Inbound Outbound ACL Rules

    Hello Steve-

     

    1. PIX and ASA both use the stateful inspection (Adaptive Security Algorithm, as they used to call it), and allows the return traffic back through the firewall, regardless of any ACL that my be applied that would otherwise stop the return packets.

     

    2.  The stateful inspection applies to all return traffic, between any 2 interfaces.   If the initial packet was allowed through, the return packet is allowed back, regardless of ACLs that may be blocking the return packets.

     

    3.  If the inside interface is security level 100, and the dmz interface is security level 99 or less, the initial packets from the backup server will be allowed as long as there is NOT an ACL preventing the initial packet applied inbound on the inside, or outbound on the dmz interface.    If the initial packet makes it through, it doesn't matter what ACLs may be trying to stop the return packets, as the stateful inspection will allow return packets regardless of the ACLs.

     

    Other factors along the way could disrupt packet flow, such as incorrect NAT configuration, same security levels, etc.    The above discussion is regarding the ACL related elements of the ASA.

     

    Best wishes,

     

    Keith

  • Keith Barker - CCIE RS/Security, CISSP 5,351 posts since
    Jul 3, 2009
    Currently Being Moderated
    10. Mar 28, 2011 9:21 PM (in response to Steve)
    Re: Interface Inbound Outbound ACL Rules

    Hi Steve-

     

    Best practice is to put on paper, what services we want to allow, and from where.   Once we define the policy of what we want to happen, then we can begin with the defaults of the ASA, and implement additional rules to enforce it.   When possible, denying initial packets inbound on an interface is better than outbound on the exit interface.   Also remember that any traffic that goes through the ASA, if it is inspected, will also mean that the return packets will be allowed, in spite of ACLs that try to stop them.

     

    Best wishes,

     

    Keith

  • Keith Barker - CCIE RS/Security, CISSP 5,351 posts since
    Jul 3, 2009
    Currently Being Moderated
    12. Jul 29, 2011 12:18 AM (in response to Steve)
    Re: Interface Inbound Outbound ACL Rules

    Hello Steve-

     

    The PIX can run software versions up to and including the 8.0 flavors.

     

    The syntax for 7.0 through 8.2 is virtually the same.   8.3 and higher commands start to change.

     

    Adjusting for interface numbers and types, most of the commands from 7.x of PIX or ASA should work on version 8.0x of the PIX or ASA and are interchangeable.

     

    Keith

  • Terry 4 posts since
    Dec 1, 2010
    Currently Being Moderated
    13. Jul 24, 2013 4:58 PM (in response to Steve)
    Re: Interface Inbound Outbound ACL Rules

    From what you have said:

    "If i want to create a ACL for a server (10.10.10.10) in the "DMZ" to access one of the webserver (20.20.20.20) in the "Inside" interface"

     

    Therefore, the server from the DMZ interface will be the one to initiate. You may use:

     

    access-list DMZ_Inbound permit tcp host 10.10.10.10 host 20.20.20.20 eq www (acess-group DMZ_Inbound in interface DMZ)

     

    or

     

    access-list Inside_Outbound permit tcp host 20.20.20.20 eq www host 10.10.10.10(acess-group Inside_Outbound out interface Inside)

     

     

    Remember:

    access-list <name> permit <tcp/udp> <source> eq <source port> <destination> eq <destination port>.

     

    So if you expand your ACL, it will be:

    access-list DMZ_Inbound permit tcp host 10.10.10.10 eq any host 20.20.20.20 eq www

Actions

More Like This

  • Retrieving data ...

Bookmarked By (1)