Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2161
Views
55
Helpful
5
Replies

Internet Access blocked by ACL or Firewall?

mechbearcat
Level 1
Level 1

‎03-01-2022 09:05 AM

I have just been handed over infra without diagrams or information as the previous guy left without notice. Hope experts here can enlighten me or at least point me in the right direction. Everything was working fine till our proxy server went down. I am not sure how the previous implementation "forced" internet traffic through the proxy. 

 

  1. Disabled proxy (such as on application level or internet browsers) but there is still no internet access.
  2. Previously working fine with a 3rd party proxy.Other Network Security Topics
  3. Checkpoint Firewall accepts traffic to internet (tested with sites like google.com and 8.8.8.8) based on logs. Therefore my guess is the traffic is dropped somewhere on the router after the firewall.
  4. Possible it's the ACL causing the problems? Is it the ACL "BLOCK_INB" blocking all return traffic? 

The company is using Checkpoint as it's firewall solution with a Cisco 2911 ISR facing the Internet / acting as the WAN router. To simply, its like this:

 

Clients/Servers/Devices ---> Switch --> Checkpoint FW ---> DMZ Switch --> Cisco 2911 WAN Router --> Internet

 

Here is the router config:

 

interface Port-channel1

description to CP-FW

ip address 203.X.X.29 255.255.255.224

ip access-group 102 in

no ip redirects

no ip unreachables

no ip proxy-arp

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description WAN Internet

ip address 164.x.x.230 255.255.255.252

ip access-group BLOCK_INB in

no ip redirects

no ip unreachables

no ip proxy-arp

duplex full

speed 100

!

interface GigabitEthernet0/1

description To DMZSwitch

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

duplex auto

speed auto

channel-group 1

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 164.X.X.229

ip route 192.168.5.0 255.255.255.0 203.X.X.30

ip route 203.X.X.0 255.255.255.224 203.X.X.30

ip ssh time-out 60

ip ssh version 2

ip ssh server algorithm mac hmac-sha1

ip ssh server algorithm encryption aes256-ctr

ip ssh client algorithm mac hmac-sha1

ip ssh client algorithm encryption aes256-ctr

!

!

ip access-list extended BLOCK_INB

deny   ip 127.0.0.0 0.255.255.255 any log

deny   ip 10.0.0.0 0.255.255.255 any log

deny   ip 0.0.0.0 0.255.255.255 any log

deny   ip 172.16.0.0 0.15.255.255 any log

deny   ip 192.168.0.0 0.0.255.255 any log

deny   ip 192.0.2.0 0.0.0.255 any log

deny   ip 169.254.0.0 0.0.255.255 any log

deny   ip 224.0.0.0 31.255.255.255 any log

deny   ip host 255.255.255.255 any log

permit ip any any log

deny   ip any any log

!

access-list 101 deny   icmp any any redirect

access-list 101 deny   icmp any any timestamp-request

access-list 101 deny   icmp any any information-request

access-list 101 deny   53 any any

access-list 101 deny   55 any any

access-list 101 deny   77 any any

access-list 101 deny   pim any any

access-list 101 deny   ip 0.0.0.0 0.255.255.255 any log

access-list 101 deny   ip 10.0.0.0 0.255.255.255 any log

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any log

access-list 101 deny   ip 161.229.0.0 0.0.255.255 any log

access-list 101 deny   ip 169.254.0.0 0.0.255.255 any log

access-list 101 deny   ip 172.0.0.0 0.31.255.255 any log

access-list 101 deny   ip 192.168.0.0 0.0.255.255 any log

access-list 101 deny   ip 224.0.0.0 31.255.255.255 any log

access-list 101 deny   ip 255.0.0.0 0.255.255.255 any log

access-list 101 deny   udp any any eq 0

access-list 101 permit ip any any log

access-list 102 permit ip 203.X.X.0 0.0.0.31 any

access-list 102 permit ip 192.168.5.0 0.0.0.255 any

access-list 102 deny   udp any any eq 0

access-list 102 deny   ip any any log

access-list 103 deny   udp any any eq 0

access-list 103 permit ip any any log

 

 

0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎03-01-2022 09:14 AM

As per your description of the problem, you have not changed anything on the router (have you ?)

The ACL Looks ok high level.

 

My guess your Checkpoint Doing NAT here for your Local Internet.

To confirm you have internet or not, connect any device using Public IP in DMZ switch and check is the Internet working or not.

 

what is your Lan side IP address ?

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

mechbearcat
Level 1
Level 1
In response to balaji.bandi

‎03-01-2022 09:22 AM

Thanks! I had a feeling it must be something related to NAT on the firewall side.

 

My LAN side client IP address is 192.168.5.x

All the clients/servers are not able to access Internet at all (once proxy is disabled). How do you even "force" traffic to make use of a 3rd party proxy?

 

One more novice question on the "BLOCK_INB" ACL (which is applied on WAN interface): deny ip any any log 

Wouldn't this cause return any/all traffic to be blocked?

balaji.bandi
Hall of Fame
Hall of Fame
In response to mechbearcat

‎03-01-2022 09:27 AM 

All the clients/servers are not able to access Internet at all (once proxy is disabled).

how is the proxy configured manually in browser, check browser setting in proxy settings

If you remove the proxy, the FW not able to make connection due to NAT, i belive in your CP Only proxy IP allowed and NAtted (as per the information)

 

 How do you even "force" traffic to make use of a 3rd party proxy?

what 3rd party proxy ? you any brand, is this up and running ?

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

mechbearcat
Level 1
Level 1
In response to balaji.bandi

‎03-01-2022 09:37 AM

  • Proxy went down due to hardware failure (believe it's Barracuda Web Security and Filtering) on its host.
  • As such, I made use of GPO to remove all proxy settings including browsers (Internet Options). However, most servers/clients are not even able to connect to Internet to retrieve updates.

Thanks yet again, I understand this is the Cisco forum but you have been helpful. I will try to check Checkpoint FW once I am back in office and see if there are any options to "bypass" proxy. Or if any of the switches are "redirecting" traffic to proxy.

balaji.bandi
Hall of Fame
Hall of Fame
In response to mechbearcat

‎03-01-2022 09:43 AM - edited ‎03-01-2022 09:43 AM

I can understand the situation now.

 

you have 2 Options :

 

1. Configure Checkpoint to NAT all Internal IP address using NAT, so all device can access Internet ( given below link not sure you running R80 ?)

 

https://sc1.checkpoint.com/documents/R76/CP_R76_Firewall_WebAdmin/6724.htm

 

2. If you have spare PC, you can install Linux and Squid (this act as Proxy) replace in place of Barracuda proxy Place. using same IP address, that resolve the issue.

https://www.digitalocean.com/community/tutorials/how-to-set-up-squid-proxy-on-ubuntu-20-04

 

 

You choose which one best, let me know any help i can do to help to resolve the issue, happy to help get back your network connection and user happy using internet again.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card