topic It would appear I fixed it in Network Security

permit ip any any

James Saunders — Tue, 12 Mar 2019 05:20:42 GMT

Hi All,

I have a question around the permit ip any any statement on an inbound ACL when using NAT. Is it safe? If I take the statement out of my list I can't do anything.

Example:

interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.1.1 255.255.255.192
ip access-group IN_OUT_VLAN10 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
end

ip access-list extended IN_OUT_VLAN10
permit udp any any eq bootpc
permit udp any any eq bootps
deny   ip 192.168.1.0 0.0.0.63 192.168.1.64 0.0.0.63
deny   ip 192.168.1.0 0.0.0.63 192.168.1.128 0.0.0.63
deny   ip 192.168.1.0 0.0.0.63 192.168.1.192 0.0.0.63
permit ip any any

Above list is to block my internal subnets*

interface Dialer1
mtu 1492
ip address negotiated
ip access-group OUTSIDE_INSIDE in
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast source reachable-via rx allow-default 100
ip nat outside
ip inspect IN_OUT_CBAC out
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no keepalive
ppp authentication chap callin
ppp chap hostname ******
ppp chap password ******
no cdp enable
end

ip access-list extended OUTSIDE_INSIDE
remark OUTSIDE_INSIDE_ALLOW
remark *****
permit tcp host ********* any eq 22 log-input
remark ***********
permit tcp host ************* any eq 22 log-input
remark *********
permit tcp host ************* any eq 22 log-input
remark OUTSIDE_INSIDE_BLOCK
deny   icmp any any echo
deny   icmp any any echo-reply
deny   tcp any any eq 22 log-input
deny   udp any any eq 22 log-input
deny   tcp any any eq telnet log-input
deny   udp any any eq 23 log-input

permit ip any any <<<<< Without this here I have no traffic*

ip nat inside source list VLAN10_OUTSIDE interface Dialer1 overload

ip inspect name IN_OUT_CBAC tcp
ip inspect name IN_OUT_CBAC udp
ip inspect name IN_OUT_CBAC icmp

Above is a basic firewall for outbound connections and returning traffic** (I hope)

My question is do I need to put every single port I want to allow in and out in even though I am using NAT? It will be an insane list especially with gaming as XBOX uses random ports each time. I don't have any static NAT entries so when I do a port scan they are all closed as expected except 22 and 23 which I have closed only to specific hosts. Does IP here mean basically IP as in routing addresses etc (which would make sense) or does it mean the entire TCP/IP suite like TCP and UDP ports etc..

This has confused me so long I thought I would ask.. I see it on a lot of SMB routers with ADSL etc using NAT..

Thank you kindly everyone.

You should not have to put in

Collin Clark — Thu, 15 Jan 2015 15:05:30 GMT

You should not have to put in the ip any any statement. Can you post the acl VLAN10_OUTSIDE?

Extended IP access list

James Saunders — Thu, 15 Jan 2015 18:33:37 GMT

Extended IP access list VLAN10_OUTSIDE
10 permit ip 192.168.1.0 0.0.0.63 any (7459 matches)
20 deny ip any any (11814 matches)

thanks for response, above is the requested 🙂

sorry and by my access list I

James Saunders — Thu, 15 Jan 2015 18:36:22 GMT

sorry and by my access list I mean VLAN10 going to outside... Just my wording 😉

Can you post a sanitized

Collin Clark — Thu, 15 Jan 2015 18:51:11 GMT

Can you post a sanitized "show ip inspect all"?

Established Sessions Session

James Saunders — Thu, 15 Jan 2015 18:57:18 GMT

Established Sessions
Session 29F5EA3C (192.168.1.198:55435)=>(X.X.X.X:5671) tcp SIS_OPEN
Session 29F4FD0C (192.168.1.15:49941)=>(X.X.X.X.:443) tcp SIS_OPEN
Session 29F5A0EC (192.168.1.15:49943)=>(X.X.X.X:443) tcp SIS_OPEN
Session 29F5CE34 (192.168.1.26:52537)=>(X.X.X.X:5223) tcp SIS_OPEN
Session 29F505AC (192.168.1.15:49940)=>(X.X.X.X:443) tcp SIS_OPEN
Session 29F5B454 (192.168.1.15:49158)=>(X.X.X.X:443) tcp SIS_OPEN
Session 29F5BACC (192.168.1.15:49944)=>(X.X.X.X:443) tcp SIS_OPEN
Session 29F52EA4 (192.168.1.14:61670)=>(X.X.X.X:443) tcp SIS_OPEN
Session 29F5B67C (192.168.1.14:62041)=>(X.X.X.X:80) tcp SIS_OPEN
Session 29F50E4C (192.168.1.15:49946)=>(X.X.X.X:443) tcp SIS_OPEN
Session 29F5F2DC (192.168.1.15:49947)=>(X.X.X.X:443) tcp SIS_OPEN
Session 29F5B8A4 (192.168.1.15:49945)=>(X.X.X.X:443) tcp SIS_OPEN
Session 29F52A54 (192.168.1.15:49265)=>(X.X.X.X:80) tcp SIS_OPEN
Session 29F5C9E4 (192.168.1.13:57579)=>(X.X.X.X:5223) tcp SIS_OPEN
Session 29F5DB24 (192.168.1.15:49938)=>(X.X.X.X:443) tcp SIS_OPEN
Session 29F577F4 (192.168.1.15:49939)=>(X.X.X.X:443) tcp SIS_OPEN
Session 29F5E19C (192.168.1.19:50431)=>(X.X.X.X:443) tcp SIS_OPEN
Session 29F5B22C (192.168.1.15:49942)=>(X.X.X.X:443) tcp SIS_OPEN

Can I get all of it please?

Collin Clark — Thu, 15 Jan 2015 19:01:23 GMT

Can I get all of it please?

Sorry Colin, here we are #sh

James Saunders — Fri, 16 Jan 2015 07:13:16 GMT

Sorry Colin, here we are

#sh ip inspect all
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [unlimited : unlimited] connections
max-incomplete sessions thresholds are [unlimited : unlimited]
max-incomplete tcp connections per host is unlimited. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name IN_OUT_CBAC
    tcp alert is on audit-trail is off timeout 3600
    udp alert is on audit-trail is off timeout 30
    icmp alert is on audit-trail is off timeout 10

Interface Configuration
Interface Dialer1
Inbound inspection rule is not set
Outgoing inspection rule is IN_OUT_CBAC
    tcp alert is on audit-trail is off timeout 3600
    udp alert is on audit-trail is off timeout 30
    icmp alert is on audit-trail is off timeout 10
Inbound access list is OUTSIDE_INSIDE
Outgoing access list is not set

Established Sessions
Session 29F5EA3C (192.168.1.198:55435)=>(54.194.173.224:5671) tcp SIS_OPEN
Session 29F5282C (192.168.1.14:62790)=>(54.243.233.199:443) tcp SIS_OPEN
Session 29F4FAE4 (192.168.1.14:62795)=>(17.110.224.20:443) tcp SIS_OPEN
Session 29F51914 (192.168.1.13:58339)=>(65.20.0.43:993) tcp SIS_OPEN
Session 29F54CD4 (192.168.1.13:58341)=>(65.20.0.43:993) tcp SIS_OPEN
Session 29F5E5EC (192.168.1.13:58340)=>(65.20.0.43:993) tcp SIS_OPEN
Session 29F52A54 (192.168.1.13:58314)=>(17.172.239.80:443) tcp SIS_OPEN
Session 29F5C36C (192.168.1.17:49964)=>(157.55.236.97:443) tcp SIS_OPEN
Session 29F4FF34 (192.168.1.14:62797)=>(216.157.12.18:80) tcp SIS_OPEN
Session 29F5DF74 (192.168.1.14:62723)=>(69.171.235.48:443) tcp SIS_OPEN
Session 29F5534C (192.168.1.14:62794)=>(66.117.29.37:443) tcp SIS_OPEN
Session 29F5F2DC (192.168.1.14:62793)=>(81.144.168.143:443) tcp SIS_OPEN
Session 29F52EA4 (192.168.1.18:53043)=>(17.110.226.11:443) tcp SIS_OPEN

Strange. Everything looks to

Collin Clark — Fri, 16 Jan 2015 16:57:09 GMT

Strange. Everything looks to be configured and working correctly. Let me make sure I understand the issue. When you remove permit ip any any from the ACL all traffic to the internet stops working?

That is correct yes

James Saunders — Fri, 16 Jan 2015 16:58:51 GMT

That is correct yes

Can you remove 'permit ip any

Collin Clark — Fri, 16 Jan 2015 17:01:59 GMT

Can you remove 'permit ip any any' and put in 'deny ip any any log'? Try a webpage, then send the log please.

000507: Jan 16 16:59:37.377

James Saunders — Fri, 16 Jan 2015 17:06:06 GMT

000507: Jan 16 16:59:37.377 gmt: %SEC-6-IPACCESSLOGP: list OUTSIDE_INSIDE denied udp 8.26.56.26(53) -> 86.167.1X.X(51878), 1 packet
000508: Jan 16 16:59:38.377 gmt: %SEC-6-IPACCESSLOGP: list OUTSIDE_INSIDE denied udp 8.20.247.20(53) -> 86.167.X.X(64572), 1 packet

DNS issue?

It would appear I fixed it

James Saunders — Fri, 16 Jan 2015 17:08:26 GMT

It would appear I fixed it hahah, no 100, 100 permit udp any any eq 53

Now all working 🙂

Actually cancel that... only

James Saunders — Fri, 16 Jan 2015 17:12:50 GMT

Actually cancel that... only cached pages 😞 working..

Actually cancel that... only

James Saunders — Fri, 16 Jan 2015 17:13:14 GMT

Actually cancel that... only cached pages 😞 working..

Looks like CBAC is not

Collin Clark — Fri, 16 Jan 2015 17:19:39 GMT

Looks like CBAC is not working correctly. Here's my CBAC config from a working router.

ip inspect max-incomplete high 8000
ip inspect max-incomplete low 7900
ip inspect one-minute low 7900
ip inspect one-minute high 8000
ip inspect udp idle-time 360
ip inspect dns-timeout 10
ip inspect tcp idle-time 7200
ip inspect tcp finwait-time 10
ip inspect tcp max-incomplete host 1000 block-time 0
ip inspect tcp reassembly queue length 1024
ip inspect tcp reassembly timeout 60
ip inspect tcp reassembly memory limit 256000
ip inspect name IN_OUT_CBAC icmp
ip inspect name IN_OUT_CBAC http
ip inspect name IN_OUT_CBAC https
ip inspect name IN_OUT_CBAC tcp
ip inspect name IN_OUT_CBAC udp

ok I applied that and was

James Saunders — Fri, 16 Jan 2015 17:33:45 GMT

ok I applied that and was able to get to google but not access the pages.. Look like inboud acl is blocking UDP so I put permit udp any any on and that works

You should not have to do

Collin Clark — Fri, 16 Jan 2015 17:35:21 GMT

You should not have to do that. CBAC should take care of all that stuff for you.

I am at a loss on this..

James Saunders — Fri, 16 Jan 2015 17:39:08 GMT

I am at a loss on this.. Maybe if I put up the entire current config would help?

no service padservice tcp

James Saunders — Sun, 18 Jan 2015 22:29:31 GMT

Post Deleted!!! ###RESOLVED####