12-05-2013 12:10 PM - edited 03-11-2019 08:13 PM
Hi Guys,
I'm having a potential issue with trying to configure basic firewalling on my Cisco 881 router & denying all traffic from the internet.
My config below:
ip inspect name FIREWALL tcp timeout 300
ip inspect name FIREWALL udp timeout 300
interface FastEthernet4
description WAN_to_ISP
ip address 1.1.1.1 255.255.255.252
ip access-group deny_all in
ip mtu 1452
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
interface Vlan833
description Guest_Subnet_Gateway
ip address 172.18.1.1 255.255.255.0
ip nat inside
ip inspect FIREWALL in
ip virtual-reassembly in
ip nat inside source list NAT_list interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 1.1.1.2
!
ip access-list standard NAT_list
permit 172.18.1.0 0.0.0.255
deny any
!
ip access-list extended deny_all
deny ip any any
My goal is to inspect inbound LAN traffic, which the firewall should then permit return traffic from the internet for, bypassing the inbound ACL on the WAN interface that denies all traffic. I am remote to the site, so I cannot test the "true" LAN, but I have found that when I remove the inbound ACL on the WAN, I can ping the internet (8.8.8.8) no problem, sourcing from vlan 833, sitting on the router. However, when I have the inbound ACL on the WAN applied, I can no longer ping the internet (8.8.8.8), sitting on my router, sourcing from vlan 833.
Because of this, I can only assume that the same is true for the users at the location on the "true" LAN (i.e. behind the router, not sitting on it like I am).
Is this true? Or would I see a different outcome if I was testing from behind the router as opposed to sitting on it?
12-05-2013 12:41 PM
If you want to use ping, then you also need the ICMP-inspection. For traffic sourcing from the router, the inspection also has to be applied to the outside interface:
ip inspect name FIREWALL tcp router-traffic
ip inspect name FIREWALL udp router-traffic
ip inspect name FIREWALL icmp router-traffic
ip inspect name FIREWALL ftp
!
interface FastEthernet4
ip access-group deny_all in
ip inspect FIREWALL out
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
12-05-2013 01:18 PM
Packets entering the firewall are inspected by CBAC only if they first pass the inbound access list at the input interface and outbound access list at the output interface. If a packet is denied by the access list, the packet is simply dropped and not inspected by CBAC.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide