topic Internet Access blocked by ACL or Firewall? in Network Security

Internet Access blocked by ACL or Firewall?

mechbearcat — Tue, 01 Mar 2022 17:05:21 GMT

I have just been handed over infra without diagrams or information as the previous guy left without notice. Hope experts here can enlighten me or at least point me in the right direction. Everything was working fine till our proxy server went down. I am not sure how the previous implementation "forced" internet traffic through the proxy.

Disabled proxy (such as on application level or internet browsers) but there is still no internet access.
Previously working fine with a 3rd party proxy.Other Network Security Topics
Checkpoint Firewall accepts traffic to internet (tested with sites like google.com and 8.8.8.8) based on logs. Therefore my guess is the traffic is dropped somewhere on the router after the firewall.
Possible it's the ACL causing the problems? Is it the ACL "BLOCK_INB" blocking all return traffic?

The company is using Checkpoint as it's firewall solution with a Cisco 2911 ISR facing the Internet / acting as the WAN router. To simply, its like this:

Clients/Servers/Devices ---> Switch --> Checkpoint FW ---> DMZ Switch --> Cisco 2911 WAN Router --> Internet

Here is the router config:

interface Port-channel1

description to CP-FW

ip address 203.X.X.29 255.255.255.224

ip access-group 102 in

no ip redirects

no ip unreachables

no ip proxy-arp

interface Embedded-Service-Engine0/0

no ip address

shutdown

interface GigabitEthernet0/0

description WAN Internet

ip address 164.x.x.230 255.255.255.252

ip access-group BLOCK_INB in

no ip redirects

no ip unreachables

no ip proxy-arp

duplex full

speed 100

interface GigabitEthernet0/1

description To DMZSwitch

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

duplex auto

speed auto

channel-group 1

ip forward-protocol nd

no ip http server

no ip http secure-server

ip route 0.0.0.0 0.0.0.0 164.X.X.229

ip route 192.168.5.0 255.255.255.0 203.X.X.30

ip route 203.X.X.0 255.255.255.224 203.X.X.30

ip ssh time-out 60

ip ssh version 2

ip ssh server algorithm mac hmac-sha1

ip ssh server algorithm encryption aes256-ctr

ip ssh client algorithm mac hmac-sha1

ip ssh client algorithm encryption aes256-ctr

ip access-list extended BLOCK_INB

deny ip 127.0.0.0 0.255.255.255 any log

deny ip 10.0.0.0 0.255.255.255 any log

deny ip 0.0.0.0 0.255.255.255 any log

deny ip 172.16.0.0 0.15.255.255 any log

deny ip 192.168.0.0 0.0.255.255 any log

deny ip 192.0.2.0 0.0.0.255 any log

deny ip 169.254.0.0 0.0.255.255 any log

deny ip 224.0.0.0 31.255.255.255 any log

deny ip host 255.255.255.255 any log

permit ip any any log

deny ip any any log

access-list 101 deny icmp any any redirect

access-list 101 deny icmp any any timestamp-request

access-list 101 deny icmp any any information-request

access-list 101 deny 53 any any

access-list 101 deny 55 any any

access-list 101 deny 77 any any

access-list 101 deny pim any any

access-list 101 deny ip 0.0.0.0 0.255.255.255 any log

access-list 101 deny ip 10.0.0.0 0.255.255.255 any log

access-list 101 deny ip 127.0.0.0 0.255.255.255 any log

access-list 101 deny ip 161.229.0.0 0.0.255.255 any log

access-list 101 deny ip 169.254.0.0 0.0.255.255 any log

access-list 101 deny ip 172.0.0.0 0.31.255.255 any log

access-list 101 deny ip 192.168.0.0 0.0.255.255 any log

access-list 101 deny ip 224.0.0.0 31.255.255.255 any log

access-list 101 deny ip 255.0.0.0 0.255.255.255 any log

access-list 101 deny udp any any eq 0

access-list 101 permit ip any any log

access-list 102 permit ip 203.X.X.0 0.0.0.31 any

access-list 102 permit ip 192.168.5.0 0.0.0.255 any

access-list 102 deny udp any any eq 0

access-list 102 deny ip any any log

access-list 103 deny udp any any eq 0

access-list 103 permit ip any any log

Re: Internet Access blocked by ACL or Firewall?

balaji.bandi — Tue, 01 Mar 2022 17:14:23 GMT

As per your description of the problem, you have not changed anything on the router (have you ?)

The ACL Looks ok high level.

My guess your Checkpoint Doing NAT here for your Local Internet.

To confirm you have internet or not, connect any device using Public IP in DMZ switch and check is the Internet working or not.

what is your Lan side IP address ?

Re: Internet Access blocked by ACL or Firewall?

mechbearcat — Tue, 01 Mar 2022 17:22:36 GMT

Thanks! I had a feeling it must be something related to NAT on the firewall side.

My LAN side client IP address is 192.168.5.x

All the clients/servers are not able to access Internet at all (once proxy is disabled). How do you even "force" traffic to make use of a 3rd party proxy?

One more novice question on the "BLOCK_INB" ACL (which is applied on WAN interface): deny ip any any log

Wouldn't this cause return any/all traffic to be blocked?

Re: Internet Access blocked by ACL or Firewall?

balaji.bandi — Tue, 01 Mar 2022 17:27:53 GMT

All the clients/servers are not able to access Internet at all (once proxy is disabled).

how is the proxy configured manually in browser, check browser setting in proxy settings

If you remove the proxy, the FW not able to make connection due to NAT, i belive in your CP Only proxy IP allowed and NAtted (as per the information)

 How do you even "force" traffic to make use of a 3rd party proxy?

what 3rd party proxy ? you any brand, is this up and running ?

Re: Internet Access blocked by ACL or Firewall?

mechbearcat — Tue, 01 Mar 2022 17:37:48 GMT

Proxy went down due to hardware failure (believe it's Barracuda Web Security and Filtering) on its host.
As such, I made use of GPO to remove all proxy settings including browsers (Internet Options). However, most servers/clients are not even able to connect to Internet to retrieve updates.

Thanks yet again, I understand this is the Cisco forum but you have been helpful. I will try to check Checkpoint FW once I am back in office and see if there are any options to "bypass" proxy. Or if any of the switches are "redirecting" traffic to proxy.

Re: Internet Access blocked by ACL or Firewall?

balaji.bandi — Tue, 01 Mar 2022 17:43:28 GMT

I can understand the situation now.

you have 2 Options :

1. Configure Checkpoint to NAT all Internal IP address using NAT, so all device can access Internet ( given below link not sure you running R80 ?)

https://sc1.checkpoint.com/documents/R76/CP_R76_Firewall_WebAdmin/6724.htm

2. If you have spare PC, you can install Linux and Squid (this act as Proxy) replace in place of Barracuda proxy Place. using same IP address, that resolve the issue.

https://www.digitalocean.com/community/tutorials/how-to-set-up-squid-proxy-on-ubuntu-20-04

You choose which one best, let me know any help i can do to help to resolve the issue, happy to help get back your network connection and user happy using internet again.