ACL generated by SDM

ACL generated by SDM

by Cyrus Lok on Saturday, March 6, 2010 at 10:04pm

Router#sh access-list
Regarding the extended ACL 101, why is there a need to include the deny all statement?
The ACL 101 is applied to fa0/1 which is the interface to the outside (untrusted) network as IN, which means not only RFC1918 addresses are dropped all other ip traffic is also dropped, the thing is can I still surf the net? Since the return ip packet will be dropped…

Extended IP access list 100
10 deny ip 172.16.0.0 0.0.0.3 any
20 deny ip host 255.255.255.255 any
30 deny ip 127.0.0.0 0.255.255.255 any
40 permit ip any any (4 matches)
Extended IP access list 101
10 deny ip 10.0.0.0 0.0.0.255 any
20 permit icmp any host 172.16.0.1 echo-reply
30 permit icmp any host 172.16.0.1 time-exceeded
40 permit icmp any host 172.16.0.1 unreachable
50 deny ip 10.0.0.0 0.255.255.255 any
60 deny ip 172.16.0.0 0.15.255.255 any
70 deny ip 192.168.0.0 0.0.255.255 any
80 deny ip 127.0.0.0 0.255.255.255 any
90 deny ip host 255.255.255.255 any
100 deny ip host 0.0.0.0 any
110 deny ip any any log

I have got a great answer from an expert within the study group, most of the people do not answer to the question but Eric is different he answers exactly to what I wanted to know. Below is the answer on why implicit deny or explicit deny all statement can still allow inside network to access the internet.

Mar 6, 2010 6:38 AM in response to: cyruslok
Re: Doubts about ACL 101 generated by SDM

Hi!
1. The deny ip any any log is used so you can see what traffic is being dropped by the ACL. It’s the “log” keyword. If you would have left the “log” keyword off, you can still use the show access-list command to see matches against that particular line, just not any details about what was dropped.

2. I am going to make an assumption here since it wasn’t mentioned. Is this configuration for an IOS Firewall? ACL 101 is there to prevent IP address spoofing. RFC 1918 addresses are not routable on the internet and there should be no reason that a packet should have those addresses in the source address field if it originated from outside of your network. The reason you can still surf the internet(assuming the configuration is for IOS firewall) is because it’s a stateful firewall. Traffic that originates on your LAN with a RFC 1918 address destined for the internet is kept in a state table. When traffic returns, the router(FW) will examine the state table and determine if the traffic should be allowed back in. If you are using CBAC(IOS FW), you can view the state table by using the show ip inspect sessions command.

Erick

Advertisements
This entry was posted in Security. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s