Access-List confusion. Help me out!

Cessation

Ok, so I thought I was grasping the whole Access-list thing pretty well until I got to the practice tests concerning inbound/outbound traffic.

When this is used... how should I interpret incoming/outgoing traffic? IE:
inbound as in coming in FROM an outside source, or Inbound as in already inside the subnet of the router?

I hope you understand what I am talking about. (although I am already confusing myself)
This is driving me crazy.
Here is a proposed question that i though I got right but ended up being wrong about.



Some guy has two subnets, 172.45.1.0 and 172.45.2.0. You want to protect the 172.45.2.0 subnet from all traffic except for the 172.45.1.0 network; But you don't want anyone to telnet into 172.45.2.2. You currently do not have any filters on.
So you go ahead and insert the following lists.

access-list 102 deny tcp 172.45.1.0 0.0.255.255 host 172.45.2.2 eq 23
access-list 102 permit ip 172.45.1.0 0.0.255.255 172.45.2.0 0.0.0.255

Where should you apply the 102 filter?
1. Outbound side of E1
2. Inbound side of E0
3. Inbound side of S0
4. Inbound side of E1
5. Outbound side of E0



Now, since it asks me to protect the subnet I chose the Inbound side of E1... trying to stop inbound traffic to the subnet.

Now they say the answer is the Outbound side of E1... (Which makes me think that they are trying to block all traffic leaving the 172.45.2.0 subnet.

Have I just lost it?

Thanks for reading all the way through! (if you did ha ha)

Rearden

Inbound happens before the routing decision, while outbound happens after.

Cessation

Rearden wrote:

Inbound happens before the routing decision, while outbound happens after.

Rearden,
Thanks for the post. Can you help me by explaining a bit further please?

So was I completely wrong here?
Thanks,
Cess

Gogousa

You have to put your self inside the router. From there, think how you see the trafic.

Rearden

Well, when a router receives a packet, an inbound ACL is applied before the router looks at the routing table and decides what to do with it. For an outbound ACL, the router receives the packet, decides what interface to send it out and after that decision is made, an ACL that is applied to the outgoing interface is looked at.

NeonNoodle

Cessation wrote:

Ok, so I thought I was grasping the whole Access-list thing pretty well until I got to the practice tests concerning inbound/outbound traffic.

When this is used... how should I interpret incoming/outgoing traffic? IE:
inbound as in coming in FROM an outside source, or Inbound as in already inside the subnet of the router?

I hope you understand what I am talking about. (although I am already confusing myself)
This is driving me crazy.
Here is a proposed question that i though I got right but ended up being wrong about.



Some guy has two subnets, 172.45.1.0 and 172.45.2.0. You want to protect the 172.45.2.0 subnet from all traffic except for the 172.45.1.0 network; But you don't want anyone to telnet into 172.45.2.2. You currently do not have any filters on.
So you go ahead and insert the following lists.

access-list 102 deny tcp 172.45.1.0 0.0.255.255 host 172.45.2.2 eq 23
access-list 102 permit ip 172.45.1.0 0.0.255.255 172.45.2.0 0.0.0.255

Where should you apply the 102 filter?
1. Outbound side of E1
2. Inbound side of E0
3. Inbound side of S0
4. Inbound side of E1
5. Outbound side of E0



Now, since it asks me to protect the subnet I chose the Inbound side of E1... trying to stop inbound traffic to the subnet.

Now they say the answer is the Outbound side of E1... (Which makes me think that they are trying to block all traffic leaving the 172.45.2.0 subnet.

Have I just lost it?

Thanks for reading all the way through! (if you did ha ha)

The first part "You want to protect the 172.45.2.0 network from all traffic except the 172.45.1.0 network means you don't want anybody from the Internet having access to your network. Then you also don't want anyone from the 172.45.1.0 network telnetting over to the 172.45.2.0 so you, but everything else is OK.



access-list 102 deny tcp 172.45.1.0 0.0.255.255 host 172.45.2.2 eq 23 <--- blocks telnet from .1
access-list 102 permit ip 172.45.1.0 0.0.255.255 172.45.2.0 0.0.0.255 <--- allows the rest from .1
access-list 102 deny ip any any <--- implicit deny statement; stops everything else


If this access list were placed on the inbound side of E0, it would only prevent telnet; the Internet traffic would still get in.

If this access list were placed on the inbound side of S0, it would only prevent the Internet traffic from getting in; telnet would still work from the .1 network.

If this access list were placed on the inbound side of E1, it would be looking at the .2 network traffic as source traffic and it would be blocking all the .2 network traffic going out, but the .1 network would have telnet access and the Internet would have access to the .2 network.

If this access list were placed on the outbound side of E0, it would block all traffic going to E0 from the Internet and the .2 network, but the .1 network would have telnet access and the Internet would have access to the .2 network.


Now, if the access list were placed on the outbound interface of E1, the first two statement of the access list would block telnet from the .1 network and then let the rest of the .1 traffic in; the implicit deny at the end of the access list blocks the Internet traffic from getting to the .2 network.

techED

nice break down NeonNoodle. I just started ACL and this helps, the inbound-outbound was driving a little nuts.

Cessation

techED wrote:

nice break down NeonNoodle. I just started ACL and this helps, the inbound-outbound was driving a little nuts.

I really don't know why I am still having trouble understanding this...

I see it like this...

~~~~~~~~Inbound E1~~~~~~~>___ to 172.2.0.0 Subnet
<~~~~~~~Outbound E1~~~~~~~ from 172.2.0.0 Subnet

If I wanted to block people from accessing my subnet shouldn't I block the inbound access to my E1? Thats what I see.

Or is it just whatever side its on? IE:

Is "Outbound" just outside of E1 going into E1 or is Outbound on the inside of E1 going out to the router?


Outbound ~~~> E1 or <~~~~Outbound of E1 (leaving E1)

Does anyone see why I am confused?

NeonNoodle

I look at inbound and outbound this way:

An inbound packet is trying to get into the router.
An outbound packet is already in the router and is trying to get out.

APA

You are confusing yourself........... Take a close look at the scenario again

You would apply the access list to outbound E1 because the packets are trying to 'get out' of E1 and travel to 172.45.2.2

If you apply it to inbound E1 it would block traffic coming into E1 from 172.45.2.0/24 depending on what you configure in your IN_ACL, all traffic trying to get out of E1 would be allowed!

Cessation

A.P.A wrote:

You are confusing yourself........... Take a close look at the scenario again

You would apply the access list to outbound E1 because the packets are trying to 'get out' of E1 and travel to 172.45.2.2

If you apply it to inbound E1 then it would only block traffic coming into E1 from the 172.45.2.2 network, all traffic trying to get out of E1 would be allowed!

This is exactly what I needed.

I swear... I've been told that its my thinking like THIS that prevents me from passing my exams in the high 900's...

Thanks for ALL the help everyone!

APA

Glad to be of assistance......


Keep a positive frame of mind and you will always do well in your exams but remember that a score is just a score it doesn't mean you know less then someone who passes an exam with a perfect score..........

At the end of the day real hands on experience beats everything else!!!!

gabrielbtoledo

When I was in class, my teacher taught me to think this way to understand In - Out ACLs.
Sit your butt into the router and you will be able to see what is IN and what is OUT.
Imagine yourself being the router, so you can visualize from where the packets are coming and going.
In this scenario, if you sit into the router, you will see why can't be in and has to be out. You are receiving packets from another port and will send out through a different one.