topic Hi, I'm seeing packet drops in Network Security

IOS XE - Returning packets are dropped

Gary Turner — Tue, 12 Mar 2019 07:59:11 GMT

I'm struggling with a router config where I can see in the log that the response to an outbound request is being block by the ACL on the outside interface. The router is an ISR4321 running IOS XE 16.

The implementation is common enough:

Internal Network --> VLAN1/GigEthernet1 <-- R1 --> Dialer0/GigEthernet0 --> ADSL Modem --> Provider

I have NAT enabled and access-list 100 on the outside of VLAN1 and access-list 101 on the outside of the Dialer0 interface.

If I drop access-list 101 I can browser the web, if I add it back in only ping and DNS lookups seem to work and I can seen the response packets from a website I'm accessing being drop by the access list rule so it looks like the established sessions are not be respected.

I'm sure I'm missing a single command from my config but can't find it for looking!

Thanks in advance Gary

Hi Gary,

jagraaga — Tue, 05 Jul 2016 08:45:48 GMT

Hi Gary,

Please paste the output of access-list 101 you have applied on the out Dialer0 interface.

Regards,

Jagrati

Hi, I'm seeing packet drops

Gary Turner — Tue, 05 Jul 2016 17:09:39 GMT

Hi, I'm seeing packet drops such as this:

*Jul 4 21:49:42.780: %FMANFP-6-IPACCESSLOGP: SIP0: fman_fp_image: list 101 denied tcp 82.165.172.29(80) -> 87.127.7.33(4099), 4 packets

in response to a request to a website www.peartreecleaning.co.uk.

the access list looks like this:

access-list 101 remark Auto generated by SDM for NTP (123)
access-list 101 permit udp any eq ntp any eq ntp
access-list 101 remark PPTP VPN
access-list 101 permit gre any any
access-list 101 permit tcp any any eq 1723
access-list 101 permit udp host 208.67.220.220 eq domain any
access-list 101 permit udp host 208.67.222.222 eq domain any
access-list 101 deny   ip 192.168.30.0 0.0.0.255 any
access-list 101 permit icmp any any
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log

Thanks.

Gary

Hi Gary,

jagraaga — Wed, 06 Jul 2016 10:27:59 GMT

Hi Gary,

You are using an access-list on the outside interface and you are not allowing this traffic.

You need to configure and ACL on 101 to allow this traffic. Please add a term like this.

#access-list 101 line 1 extended permit ip <source-address> <source-subnet> <destination-address> <destination-subnet>

For destination you will have to use any since you want to allow web browsing.

For source use the subnet you want to allow traffic from.(use the original source subnet)

Let me know if this helps.

Regards,

Jagrati

Hi

Gary Turner — Wed, 06 Jul 2016 20:40:01 GMT

Thanks for your help but I'm not sure I follow you.

This is a general internet access FW which aplies PAT/NAT to the system originating the request to an unknown destinaton I cannot define inbound rules for every connection initiated.

We do not has such rules on any of the other IOS based routers we have so I'm thinking there is a different on the IOS XE config that I'm missing.

Regards

Gary

Hi Gary,

jagraaga — Thu, 07 Jul 2016 09:04:46 GMT

Hi Gary,

The access-list 101 is applied in which direction on the interface(out or in)?

It seems that the access-list is applied in 'in' direction on interface Dialer0. There is no access-list to allow this traffic.

To confirm the same, please configure an access-list to allow ip traffic.

##access-list 101 line 1 extended permit ip any any

Try this on test basis to confirm the issue.

Regards,

Jagrati

Hi

Gary Turner — Thu, 07 Jul 2016 12:44:38 GMT

See below the Interface definition:

interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip mtu 1452
ip nat outside
ip access-group 101 in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxxxx@broadband.net.uk
ppp chap password 0 xxxxxxx
no cdp enable
ip virtual-reassembly
!

So the access-list is applied to the inbound route.

I will try the rule you suggest, I expect it will work as it is allowing anything in and as such removes the FW in the same way issue no access-list 101 gets things working but having no firewall blocking random requests isn't going to work.

We have other sites that do not require a global permit rule, indeed they have a a global deny, these sites work so the firwall must be keeping track of the conenctions fromt he inside and allowing a response on the the same.

Regards

Gary

Hi Gary,

jagraaga — Fri, 08 Jul 2016 07:46:37 GMT

Hi Gary,

I understand you need to allow only web browsing traffic initiated from internal network to outside.

Please use the below command to allow this traffic.

#access-list 101 permit tcp any any gt 1023 established

This will allow only packets for which the session has already been established and destination ports greater then 1023.

Please refer to section 'Allow Only Internal Networks to Initiate a TCP Session' for more details.

http://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html#anc9

This will help you to block traffic which is initiated from outside.

Regards,

Jagrati