topic Re: IOS ACL Help in Network Security

IOS ACL Help

pdvcisco — Mon, 11 Mar 2019 22:11:23 GMT

Hello,

On a 2821 Router with 15.1(3)T1

I have an IPSec VPN and NAT configured. Return traffic from an internal NAT host seems to be blocked by the WAN inbound ACL. What is the proper way to allow return traffic from the Internet for this internat NAT host? Note: As a test, removing the deny entry on the WAN ACL allows return traffic.

Below is config detail and a console log entry.

Thanks,

Dan

interface GigabitEthernet0/0.2

encapsulation dot1Q 2

ip address 192.168.10.252 255.255.255.0

ip nat inside

interface GigabitEthernet0/1

description WAN$ETH-WAN$

ip address 207.xx.xx.02 255.255.255.240 secondary

ip address 207.xx.xx.xx 255.255.255.240

ip access-group WAN in

ip nat outside

crypto map 3377

ip nat pool Corp 207.xx.xx.02 207.xx.xx.02 netmask 255.255.255.240

ip nat inside source route-map SDM_RMAP_1 pool Corp overload

ip access-list extended WAN

permit ahp host 66.xx.xx.xx host 207.xx.xx.xx

permit esp host 66.xx.xx.xx host 207.xx.xx.xx

permit udp host 66.xx.xx.xx host 207.xx.xx.xx eq isakmp

permit udp host 66.xx.xx.xx host 207.xx.xx.xx eq non500-isakmp

permit ip 192.168.7.0 0.0.0.255 192.168.10.0 0.0.0.255

deny ip any any log

access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 100 permit ip 192.168.10.0 0.0.0.255 any

route-map SDM_RMAP_1 permit 1

match ip address 100

Console Log Entry:

SEC-6-IPACCESSLOGP: list WAN denied tcp 173.223.52.34(80) -> 207.xx.xx.xx.02(4974), 1 packet

Re: IOS ACL Help

Julio Carvajal — Fri, 06 Jan 2012 18:32:25 GMT

Hello,

You can configure Reflexive ACLs, CBAC or ZBFW so the connections being innitiated on the inside can be inspected and allowed ( return traffic).

The easiest to configure is CBAC, but the most flexible is ZBFW.

CBAC:

http://docwiki.cisco.com/wiki/CBAC

ZBF:

http://blogg.kvistofta.nu/cisco-ios-zone-based-policy-firewall/

Reflexive ACL:

http://www.orbit-computer-solutions.com/Reflexive-ACLs.php

Regards.

Julio

Re: IOS ACL Help

pdvcisco — Fri, 06 Jan 2012 19:54:24 GMT

Julio,

Thanks. I went with CBAC. Yes, it was more simple to configure. Traffic is now returning!

I see the VPN traffic is getting inpsected (I put the CBAC on the Outside Interface - Outbound). Is there a way to skip the inspecting of VPN traffic, assuming it is using CPU cycles unnessarily to inpsect this traffic?

Dan

Re: IOS ACL Help

Julio Carvajal — Fri, 06 Jan 2012 20:22:26 GMT

Hello,

Great to hear that is working, CBAC is not going to inspect the VPN traffic due to encryption..

Regards,

Re: IOS ACL Help

pdvcisco — Fri, 06 Jan 2012 21:37:38 GMT

Julio,

I see it is inspecting VPN traffic before it goes to the tunnel.

Dan

Re: IOS ACL Help

Julio Carvajal — Fri, 06 Jan 2012 22:18:28 GMT

Hello,

Can you post your CBAC configuration?

The thing with CBAC is that its not flexible at all, so or you inpect x traffic or not.

So lets see the following example.

You have a VPN established, and on the remote site there is a HTTP server.

On your CBAC config you are inspecting HTTP, so that traffic will be inspected no matter what, there is such an option to avoid that, in fact that is the whole purpose of ZBFW ( Flexible).

Rate if this helps.

Julio

Re: IOS ACL Help

pdvcisco — Fri, 06 Jan 2012 22:28:26 GMT

Julio,

Thanks. Looks as if it is functioning as expected then.

ip inspect log drop-pkt

ip inspect name Corp tcp

ip inspect name Corp udp

ip inspect name Corp ftp

ip inspect name Corp icmp

ip inspect Corp out

show ip inspect seession

(Result below is traffic before going through VPN)

Session 49F9DB08 (192.168.10.163:161)=>(192.168.7.108:1796) udp SIS_OPEN

Session 49F983E8 (192.168.10.3:161)=>(192.168.7.108:1825) udp SIS_OPEN

Session 4CCD35E4 (192.168.10.83:161)=>(192.168.7.108:2092) udp SIS_OPEN

Session 4CCD4084 (192.168.10.82:161)=>(192.168.7.108:2089) udp SIS_OPEN

Session 49F9C188 (192.168.10.106:58020)=>(192.168.7.61:5723) tcp SIS_OPEN

Session 4CCD2704 (192.168.10.163:161)=>(192.168.7.108:2118) udp SIS_OPEN

Session 49F961E8 (192.168.10.3:161)=>(192.168.7.108:1948) udp SIS_OPEN

Dan

Re: IOS ACL Help

Julio Carvajal — Fri, 06 Jan 2012 22:32:18 GMT

Hello,

Yeap, that is the thing with CBAC, In fact is working as it should.

Hope this helps.

Have a great weekend, any other question just let me know.

Julio