Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1724
Views
0
Helpful
8
Replies

ACL to allow NAT traffic on 857 router without CBAC

Go to solution
ramtech.computing
Level 1
Level 1

‎06-21-2011 09:43 PM - edited ‎03-11-2019 01:48 PM

Hi,

I sort of asked this question elsewhere on the forum but the thread went dead again.  So I will ask it explicitly here as a more appropriate forum...

I have a 857 doing NAT for the internal vlan1 interface (192.168.20.0/24) attached traffic.

ip nat source static tcp 192.168.20.5 3389 interface dialer0 3389

ip nat inside source list aclAllowNAT interface dialer0 overload

I would like to turn CBAC (packet inspection) off, but still maintain an ACL on the ingress to Dialer0 (traffic in from the Web) to protect access to some sensitive material (doctor's surgery) and only allow RDP from designated sites.  I realise there are other ways to publish the access to the terminal servers but this way has advantages we need, and is in place.

ip access-list extended aclAllowNAT

permit ip 192.168.16.20.0 0.0.0.255

ip access-list extended aclIngressFromInternet

permit tcp host xx.xx.xx.xx any eq 3389

...


But of course when i do this and apply the access list to dialer0 all NAT traffic stops as it doesn't have CBAC there telling to allow the inspected traffic.

What do i need to put in the aclIngressFromInternet ACL to allow the NAT traffic with CBAC off?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to ramtech.computing

‎06-22-2011 01:07 AM

Yeah, it's always security vs performance.

OK, if you don't want CBAC, then here is the best practise:

For inbound traffic, it is easy as you would already have the ACL configured, just keep using the existing ACL.

For the return of outbound traffic:

permit tcp any host established

permit udp any host

permit icmp any host

As you are performing PAT to the dialer0-interface-ip, the return traffic of outbound traffic should only be towards that IP address, not any other ip addresses.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎06-22-2011 12:41 AM

Unfortunately you can't.

CBAC makes the router stateful, ie: you only need to configure ACL to allow the initial packet and all subsequent packets will be inspected by CBAC as long as it is part of the same session.

Once you turn CBAC off, and if you configure ACL on the dialer interface, then you would need to also configure ACL to allow all return outbound traffic.

Because it is a router, CBAC is the feature to provide stateful connection. Without CBAC, and if you configure ACL, then you would also need to remember about all the return traffic.

Hope that answers your question.

0 Helpful

Go to solution
ramtech.computing
Level 1
Level 1
In response to Jennifer Halim

‎06-22-2011 12:47 AM

Hi Jennifer,

Thanks for the reply.  So does that mean that I would need something like...

permit udp any any

permit tcp any any

permit icmp any any

...

Which of course defaets the whole purpose of having the ACL in the incoming from net.  Is there no

permit any any establised

or similar that will allow the NAT traffic only?

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to ramtech.computing

‎06-22-2011 12:52 AM

The only any any "established" keyword available is for TCP traffic, because TCP uses state, or is a stateful connection. UDP and ICMP are both stateless connection.

The purpose of having an ACL is if you have a combination of the ACL with CBAC so CBAC can inspect the traffic accordingly, otherwise, the router does not keep the state of the connection.

Router function is to route the traffic as fast as possible. So if you would like the router to look into the state of the connection, you would need to enable CBAC.

Is there any reason you do not want to enable CBAC?

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Jennifer Halim

‎06-22-2011 12:53 AM

Otherwise, you might want to look into ASA firewall, as its default function is as a security device, so inspecting the connection is by default enabled on the ASA.

0 Helpful

Go to solution
ramtech.computing
Level 1
Level 1
In response to Jennifer Halim

‎06-22-2011 12:56 AM

mainly speed Jennifer.

I have long had a "standard" config I use on 800 series routers that employs CBAC and ACLs to "keep the world safe".  I am just trying to see if there is a better way to control who can and who can't get to published services other than open it all up and hope no one compromises a password.

Is there a better way?

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to ramtech.computing

‎06-22-2011 01:07 AM

Yeah, it's always security vs performance.

OK, if you don't want CBAC, then here is the best practise:

For inbound traffic, it is easy as you would already have the ACL configured, just keep using the existing ACL.

For the return of outbound traffic:

permit tcp any host established

permit udp any host

permit icmp any host

As you are performing PAT to the dialer0-interface-ip, the return traffic of outbound traffic should only be towards that IP address, not any other ip addresses.

0 Helpful

Go to solution
ramtech.computing
Level 1
Level 1
In response to Jennifer Halim

‎06-22-2011 01:12 AM

Fantastic.  Thanks so much Jennifer.  You have answered what everyone else skirt around.  Unfortunately one last dumb question...

those lines go in what acl in what direction?

are they part of the

ip access-class Internet_Inbound in

configure on dialer0?  If not where and what direction?

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to ramtech.computing

‎06-22-2011 02:52 AM

Yes, you are absolutely right.

As per your first post, the ACL name is "aclingressFromInternet", you can just continue the ACL line on the same ACL.

And it should be in the "in" direction on dialer0 interface.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card