cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

515
Views
5
Helpful
7
Replies
Highlighted
Beginner

IOS ACL Help

Hello,

On a 2821 Router with 15.1(3)T1

I have an IPSec VPN and NAT configured.  Return traffic from an internal NAT host seems to be blocked by the WAN inbound ACL. What is the proper way to allow return traffic from the Internet for this internat NAT host?  Note: As a test, removing the deny entry on the WAN ACL allows return traffic.

Below is config detail and a console log entry.

Thanks,

Dan

!

interface GigabitEthernet0/0.2

encapsulation dot1Q 2

ip address 192.168.10.252 255.255.255.0

ip nat inside

!

!

interface GigabitEthernet0/1

description WAN$ETH-WAN$

ip address 207.xx.xx.02 255.255.255.240 secondary

ip address 207.xx.xx.xx 255.255.255.240

ip access-group WAN in

ip nat outside

crypto map 3377

!

!

ip nat pool Corp 207.xx.xx.02 207.xx.xx.02 netmask 255.255.255.240

ip nat inside source route-map SDM_RMAP_1 pool Corp overload

!

ip access-list extended WAN

permit ahp host 66.xx.xx.xx host 207.xx.xx.xx

permit esp host 66.xx.xx.xx host 207.xx.xx.xx

permit udp host 66.xx.xx.xx host 207.xx.xx.xx eq isakmp

permit udp host 66.xx.xx.xx host 207.xx.xx.xx eq non500-isakmp

permit ip 192.168.7.0 0.0.0.255 192.168.10.0 0.0.0.255

deny   ip any any log

!

access-list 100 deny   ip 192.168.10.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 100 permit ip 192.168.10.0 0.0.0.255 any

!

!

route-map SDM_RMAP_1 permit 1

match ip address 100

!

Console Log Entry:

SEC-6-IPACCESSLOGP: list WAN denied tcp 173.223.52.34(80) -> 207.xx.xx.xx.02(4974), 1 packet

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Hello,

You can configure Reflexive ACLs, CBAC or ZBFW so the connections being innitiated on the inside can be inspected and allowed ( return traffic).

The easiest to configure is CBAC, but the most flexible is ZBFW.

CBAC:

http://docwiki.cisco.com/wiki/CBAC

ZBF:

http://blogg.kvistofta.nu/cisco-ios-zone-based-policy-firewall/

Reflexive ACL:

http://www.orbit-computer-solutions.com/Reflexive-ACLs.php

Regards.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

7 REPLIES 7
Highlighted

Hello,

You can configure Reflexive ACLs, CBAC or ZBFW so the connections being innitiated on the inside can be inspected and allowed ( return traffic).

The easiest to configure is CBAC, but the most flexible is ZBFW.

CBAC:

http://docwiki.cisco.com/wiki/CBAC

ZBF:

http://blogg.kvistofta.nu/cisco-ios-zone-based-policy-firewall/

Reflexive ACL:

http://www.orbit-computer-solutions.com/Reflexive-ACLs.php

Regards.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Highlighted

Julio,

Thanks. I went with CBAC. Yes, it was more simple to configure.  Traffic is now returning!

I see the VPN traffic is getting inpsected (I put the CBAC on the Outside Interface - Outbound).  Is there a way to skip the inspecting of VPN traffic, assuming it is using CPU cycles unnessarily to inpsect this traffic?

Dan

Highlighted

Hello,

Great to hear that is working, CBAC is not going to inspect the VPN traffic due to encryption..

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Highlighted

Julio,

I see it is inspecting VPN traffic before it goes to the tunnel.

Dan

Highlighted

Hello,

Can you post your CBAC configuration?

The thing with CBAC is that its not flexible at all, so or you inpect x traffic or not.

So lets see the following example.

You have a VPN established, and on the remote site there is a HTTP server.

On your CBAC config you are inspecting HTTP, so that traffic will be inspected no matter what, there is such an option to avoid that, in fact that is the whole purpose of ZBFW ( Flexible).

Rate if this helps.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Highlighted

Julio,

Thanks. Looks as if it is functioning as expected then.

ip inspect log drop-pkt

ip inspect name Corp tcp

ip inspect name Corp udp

ip inspect name Corp ftp

ip inspect name Corp icmp

ip inspect Corp out

show ip inspect seession

(Result below is traffic before going through VPN)

Session 49F9DB08 (192.168.10.163:161)=>(192.168.7.108:1796) udp SIS_OPEN

Session 49F983E8 (192.168.10.3:161)=>(192.168.7.108:1825) udp SIS_OPEN

Session 4CCD35E4 (192.168.10.83:161)=>(192.168.7.108:2092) udp SIS_OPEN

Session 4CCD4084 (192.168.10.82:161)=>(192.168.7.108:2089) udp SIS_OPEN

Session 49F9C188 (192.168.10.106:58020)=>(192.168.7.61:5723) tcp SIS_OPEN

Session 4CCD2704 (192.168.10.163:161)=>(192.168.7.108:2118) udp SIS_OPEN

Session 49F961E8 (192.168.10.3:161)=>(192.168.7.108:1948) udp SIS_OPEN

Dan

Highlighted

Hello,

Yeap, that is the thing with CBAC, In fact is working as it should.

Hope this helps.

Have a great weekend, any other question just let me know.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Content for Community-Ad