cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4763
Views
0
Helpful
6
Replies

Cisco IOS outbound filtering

Trent Renshaw
Level 1
Level 1

Hi,

I am hoping someone can help with configuring a Cisco 881 which does NAT for the vlan and has a handful of port forwards from the WAN interface to hosts on the vlan.

I've created an extended access-list named 'outbound-filter' with the following rules:

    ip access-list extended outbound-filter

    permit icmp any any

    permit tcp any any eq 20

    permit tcp any any eq 21

    permit tcp any any eq 22

    permit tcp host 172.16.1.12 any eq smtp

    permit tcp any any eq 43

    permit tcp any any eq 53

    permit udp any any eq 53

    permit tcp any any eq 80

    permit tcp any any eq 110

    permit tcp any any eq 143

    permit tcp any any eq 443

    permit tcp any any eq 993

    permit tcp any any eq 995

    permit tcp any any eq 3389

    permit tcp any any eq 5060

    permit udp any any eq 5060

    permit tcp any any eq 5242

    permit udp any any eq 5243

    permit tcp any any eq 4244

    permit tcp any any eq 7071

    permit udp any any eq 9785

This is all that we want to allow out to the Internet.

From the Internet, we have the following ip nat inside rules:

    ip nat inside source list 1 interface FastEthernet4 overload

    ip nat inside source static tcp 172.16.1.12 25 59.100.202.46 25 extendable

    ip nat inside source static tcp 172.16.1.12 443 59.100.202.46 443 extendable

    ip nat inside source static tcp 172.16.1.16 3389 59.100.202.46 3389 extendable

    !

    access-list 1 permit 172.16.0.0 0.0.255.255

The filter works fine if I apply it to int vlan1 as follows:

    ip access-group outbound-filter in

But once applied, the port forwards no longer work unless I add 'permit ip any any' to the 'outbound-filter' ACL which essentially defeats the purpose.

Do I need a separate ACL 'inbound-filter' and 'outbound-filter' any apply them separating to the WAN and vlan interfaces?

Would appreciate anyone able to offer some guidance.

Many thanks,

Trent.

3 Accepted Solutions

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

Trent

The problem for the forwards is thre return traffic from your LAN to the internet. So lets say a host on the internet 195.10.166.10 connects to 59.100.202.46 using https (443)

inbound from internet -

src IP 195.10.166.10  src port random (lets use 42001) 

dst IP 59.100.202.46  dst port 443

so far so good - nothing is stopping that traffic 

return to internet -

src IP 59.100.202.46 src port 443

dst IP 195.10.166.10 dst port 42001

but your acl on vlan 1 will block this traffic. You do have a rule for 443 which says -

permit tcp any any eq 443

but as you can see from the above with the return traffic 443 is the src port and not the dst port so it doesn't match.

The simplest solution is to add this to your acl

permit tcp host 172.16.1.12 eq 443 any

and you would need rules for the other 2 as well ie. ports 25 & 3389.

Reflexive acls can take care of some of this for you because if you allow a connection in (or out) a temporary entry is made to allow the traffic back out. But as i understand you do not have an acl applied inbound on the outside interface so unless you did apply you would gain little by using.

One step further from reflexive acls is a firewall. Your router with the right feature set may well be able to run a firewall which again would take care of the return traffic for you.

It is not recommended to have no inbound acl on the outside of your router if this is the only device between you and the internet ie. there is no firewall elsewhere.

But the above entries to your acl should at least get you going for now.

Jon

View solution in original post

You could try to use CBAC to allow the return traffic.  The following will track all UDP, TCP and ICMP traffic that enters the interface and allow the return traffic.  Your ACL which is assigned to the interface will allow or block the traffic you specify.

ip inspect name FILTER tcp

ip inspect name FILTER udp

ip inspect name FILTER icmp

interface

ip access-group outbound-filter in

ip inspect FILTER in

--

Please rate all helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Here is an example of how a reflexive ACL would be configured.  What it does is to dynamically add an ACL entry to allow returning traffic that is generated from the inside network and exits the interface where the ACL is configured.

ip access-list extended IN-TO-OUT

permit tcp any any reflect TRAFFIC

permit udp any any refelct TRAFFIC

ip access-list extended OUT-TO-IN

permit tcp any any eq http

permit tcp any any eq https

evaluate TRAFFIC

interface gig0/1

description INTERNET FACING INTERFACE

ip add 123.213.221.1 255.255.255.252

access-group IN-TO-OUT out

access-group OUT-TO-IN in

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

Trent

The problem for the forwards is thre return traffic from your LAN to the internet. So lets say a host on the internet 195.10.166.10 connects to 59.100.202.46 using https (443)

inbound from internet -

src IP 195.10.166.10  src port random (lets use 42001) 

dst IP 59.100.202.46  dst port 443

so far so good - nothing is stopping that traffic 

return to internet -

src IP 59.100.202.46 src port 443

dst IP 195.10.166.10 dst port 42001

but your acl on vlan 1 will block this traffic. You do have a rule for 443 which says -

permit tcp any any eq 443

but as you can see from the above with the return traffic 443 is the src port and not the dst port so it doesn't match.

The simplest solution is to add this to your acl

permit tcp host 172.16.1.12 eq 443 any

and you would need rules for the other 2 as well ie. ports 25 & 3389.

Reflexive acls can take care of some of this for you because if you allow a connection in (or out) a temporary entry is made to allow the traffic back out. But as i understand you do not have an acl applied inbound on the outside interface so unless you did apply you would gain little by using.

One step further from reflexive acls is a firewall. Your router with the right feature set may well be able to run a firewall which again would take care of the return traffic for you.

It is not recommended to have no inbound acl on the outside of your router if this is the only device between you and the internet ie. there is no firewall elsewhere.

But the above entries to your acl should at least get you going for now.

Jon

You could try to use CBAC to allow the return traffic.  The following will track all UDP, TCP and ICMP traffic that enters the interface and allow the return traffic.  Your ACL which is assigned to the interface will allow or block the traffic you specify.

ip inspect name FILTER tcp

ip inspect name FILTER udp

ip inspect name FILTER icmp

interface

ip access-group outbound-filter in

ip inspect FILTER in

--

Please rate all helpful posts

--
Please remember to select a correct answer and rate helpful posts

Trent Renshaw
Level 1
Level 1

Thank you Jon and Marius. You are both correct and I have used both your answers in my solution. CBAC so Skype and other allowed apps can negotiate dynamic ports for file transfers etc. and the addtional permit rules for the port forwards to permit SMTP, https and RDP to the respective hosts.

I would still be interested to see an answer that illustrates using reflexive access lists.

Much appreciated,

Trent

Here is an example of how a reflexive ACL would be configured.  What it does is to dynamically add an ACL entry to allow returning traffic that is generated from the inside network and exits the interface where the ACL is configured.

ip access-list extended IN-TO-OUT

permit tcp any any reflect TRAFFIC

permit udp any any refelct TRAFFIC

ip access-list extended OUT-TO-IN

permit tcp any any eq http

permit tcp any any eq https

evaluate TRAFFIC

interface gig0/1

description INTERNET FACING INTERFACE

ip add 123.213.221.1 255.255.255.252

access-group IN-TO-OUT out

access-group OUT-TO-IN in

--
Please remember to select a correct answer and rate helpful posts

Hi Marius,

I like that solution, looks cleaner than using CBAC. Your example appears to allow any tcp or udp traffic out to the Internet?

If I want to lock this down to just ICMP, HTTP/S, HTTP/S alternates, FTP, DNS and mail (IMAP/S and POP3/S) and cater for our port forwards from the Internet for SMTP and RDP, would I be correct in making the following changes?

ip access-list extended IN-TO-OUT

permit icmp any any reflect TRAFFIC

permit tcp any any eq ftp-data reflect TRAFFIC

permit tcp any any eq ftp reflect TRAFFIC

permit tcp any any eq domain reflect TRAFFIC

permit udp any any eq domain reflect TRAFFIC

permit tcp any any eq www reflect TRAFFIC

permit tcp any any eq pop3 reflect TRAFFIC

permit tcp any any eq 143 reflect TRAFFIC

permit tcp any any eq 443 reflect TRAFFIC

permit tcp any any eq 993 reflect TRAFFIC

permit tcp any any eq 995 reflect TRAFFIC

permit tcp any any eq 8080 reflect TRAFFIC

permit tcp any any eq 8443 reflect TRAFFIC

ip access-list extended OUT-TO-IN

permit tcp host 172.16.1.12 eq 25 any

permit tcp host 172.16.1.16 eq 3389 any

evaluate TRAFFIC

interface Fa4

access-group IN-TO-OUT out

access-group OUT-TO-IN in

Many thanks,

Trent

The difference between CBAC and reflective ACL is that CBAC turns the router into a stateful device while the reflective ACL just adds an entry in the inbound ACL for return traffic.

The command inspect name FILTER TCP doesn't let all TCP through the router (all traffic is permitted through the router by default), it just tells the router to keep track of TCP type traffic.  Then you need to create the ACLs which permit the traffic you want with a deny any any at the end of it.  Then you can add a deny any any inbound  and the router will track the connection states of what leaves and enters the interface.  CBAC is a more secure way of allowing return traffic as it keeps track of the ACK and SEQ fields in the packets.  This meaning that if a packet is received with a different SEQ number than expected the packet is dropped.  This doesn't happen when using a reflexive ACL.

Also:

permit icmp any any reflect TRAFFIC

This command is not supported with a reflective ACL.

--

Please rate all helpful posts

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: