topic ACL help in Network Security

ACL help

davidfield — Tue, 12 Mar 2019 00:51:23 GMT

ello All,

I've got a problem on a router with CBAC and an ACL on the outside interface. When I apply the Access-group INTERNET I loose DNS access from inside. The DNS server is the router and name servers 8.8.8.8 8.8.8.4

Can anyone see what I'm doing wrong here? I've been looking at this for hours and I'm getting the mind blur.

Thanks in advance

Dave

ip inspect name CBAC-1 dns

ip inspect name CBAC-1 ftp

ip inspect name CBAC-1 h323

ip inspect name CBAC-1 https

ip inspect name CBAC-1 icmp

ip inspect name CBAC-1 imap

ip inspect name CBAC-1 pop3

ip inspect name CBAC-1 netshow

ip inspect name CBAC-1 shell

ip inspect name CBAC-1 rtsp

ip inspect name CBAC-1 streamworks

ip inspect name CBAC-1 tftp

ip inspect name CBAC-1 vdolive

ip inspect name CBAC-1 tcp

ip inspect name CBAC-1 udp

ip inspect name CBAC-1 pptp

object-group network ABCD

host 195.X.X.53

82.X.X.144 255.255.255.248

host 84.X.X.242

host 84.X.X.243

82.X.X.16 255.255.255.248

195.X.X.8 255.255.255.248

84.X.X.24 255.255.255.248

host 8.8.8.8

host 85.X.X.4

host 8.8.4.4

host 86.X.X.33

interface Dialer1

ip address negotiated

no ip unreachables

ip mtu 1492

ip flow ingress

ip inspect CBAC-1 out

ip access-group INTERNET in

ip access-list extended INTERNET

permit icmp any any echo-reply

permit icmp any any time-exceeded

permit icmp any any unreachable

permit icmp any any echo

permit udp any any eq non500-isakmp

permit udp any any eq isakmp

permit esp any any

permit gre any any

permit ahp any any

permit tcp object-group ABCD host 109.X.X.81 eq smtp

permit tcp object-group ABCD host 109.X.X.81 eq 22

permit tcp object-group ABCD host 109.X.X.81 eq 3389

permit udp object-group ABCD host 109.X.X.81 eq snmp

permit tcp any host 109.X.X.81 eq pop3

permit tcp any host 109.X.X.81 eq 143

permit tcp any host 109.X.X.81 eq 443

permit tcp any host 109.X.X.82 eq 443

permit tcp any host 109.X.X.82 eq 9000

permit tcp host 84.X.X.27 host 109.X.X.81 eq smtp

permit tcp host 85.X.X.4 host 109.X.X.84 eq 5060

permit udp host 85.X.X.4 host 109.X.X.84 eq 5060

permit udp object-group ABCD host 109.X.X.81 eq domain

Re: ACL help

Karsten Iwen — Wed, 23 Jan 2013 22:30:21 GMT

ip inspect name CBAC-1 tcp router-traffic

ip inspect name CBAC-1 udp router-traffic

ip inspect name CBAC-1 icmp router-traffic

With that, also the outgoing packets from the router are inspected and the answers are allowed in.

If you want to do it only with the ACL you have to configure it the following way (assuming 109.X.X.81 is your outside IP):

permit udp object-group ABCD eq domain host 109.X.X.81

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

ACL help

davidfield — Wed, 23 Jan 2013 22:36:25 GMT

Thanks Karsten, Exactly what I was missing was the outbound traffic allow

permit udp object-group ABCD eq domain host 109.X.X.81

Re: ACL help

Karsten Iwen — Wed, 23 Jan 2013 22:53:41 GMT

But the version with the "router-trafic" keyword is much more elegant as you don't need all the lines for return-traffic that is sourced by the router. That also can be outgoing pings, ntp and so on. Give it a try ...

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

ACL help

davidfield — Thu, 24 Jan 2013 16:55:26 GMT

Yeah I like it much better. Thanks for this.