topic Re: IPBASE in Network Security

IPBASE

cae_technology — Tue, 12 Mar 2019 00:43:46 GMT

HI I have an issue when configuring to allow web browsing. We replaced an 800 router with an 1921.

the 800 works fine, but we have a problem with the 1900 in that we use ACLs to allow web traffic. the acl is set to allow from the outside any ip address. To inside lan subnet. this works fine, but I would like to be more granular. Whe I set it to allow on the previous example, but only for web traffic. I cannot browse. It all stops working. I have logged the acl and it shows me what I expect, in that an outside address on port 80 is being blocked.

The difference between the old router and the new one, is that the old one has advsecurity feature, but the new one is ipbase only.

I didn't think you needed advsec feature set for port based acls?

IPBASE

Henrik Grankvist — Sun, 06 Jan 2013 15:53:47 GMT

Please post the config. Maybe there is just an simple mistake.

IPBASE

cae_technology — Sun, 06 Jan 2013 16:04:05 GMT

Ip addresses below are used as an example and are not actual

interface GigabitEthernet0/1

desc link to internet

ip address 1.1.1.234 255.255.255.248

ip access-group 101 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly in

ip verify unicast reverse-path

duplex auto

speed auto

access-list 101 permit tcp any host 1.1.1.234 eq 22 log

access-list 101 permit tcp any host 1.1.1.235 eq smtp log

access-list 101 permit tcp any host 1.1.1.235 eq www log

access-list 101 permit tcp any host 1.1.1.235 eq 443 log

access-list 101 permit tcp any host 1.1.1.236 eq 443 log

access-list 101 permit tcp any host 1.1.1.236 eq www log

access-list 101 permit icmp any host 1.1.1.232 echo-reply log

access-list 101 permit icmp any host 1.1.1.234 echo-reply log

access-list 101 permit icmp any host 1.1.1.234 time-exceeded log

access-list 101 permit icmp any host 86.188.151.234 unreachable log

the local interface is as follows

interface GigabitEthernet0/0

desc lan interface

ip address 10.10.10.10 255.255.255.0

ip access-group 100 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

duplex auto

speed auto

access-list 100 deny ip 1.1.1.0 0.0.0.255 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 permit ip any any

IPBASE

cae_technology — Sun, 06 Jan 2013 16:06:23 GMT

sorry forgot to say,

I then added

7 permit ip any any (which worked)

I then added 7 permit tcp any 10.10.10.0 0.0.0.255 eq www ( that failed)

7 permit tcp any 10.10.10.0 0.0.0.255 eq established ( failed)

7 permit tcp any 10.10.10.0 0.0.0.255 eq 80 (failed)

Re: IPBASE

Karsten Iwen — Sun, 06 Jan 2013 17:21:38 GMT

if you want to allow the return-traffic for Web-browsing then you need the following lines:

permit tcp any eq 80 host PUBLIC-IP established ! for http

permit tcp any eq 443 host PUBLIC-IP established ! for HTTPS

PUBLIC-IP is the IP that you use for outgoing NAT.

The better way would be to add the SECURITY-license because then you can activate the IOS-firewall which will give you better security.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

IPBASE

cae_technology — Sun, 06 Jan 2013 19:20:26 GMT

that did it, many thanks. I see I was putting in the lan address rather than the public one