cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
592
Views
0
Helpful
2
Replies

Issue with IP Inspect & Deny all ACL

Dean Romanelli
Level 4
Level 4

Hi Guys,

I'm having a potential issue with trying to configure basic firewalling on my Cisco 881 router & denying all traffic from the internet. 

My config below:

ip inspect name FIREWALL tcp timeout 300

ip inspect name FIREWALL udp timeout 300

interface FastEthernet4

description WAN_to_ISP

ip address 1.1.1.1 255.255.255.252

ip access-group deny_all in

ip mtu 1452

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

interface Vlan833

description Guest_Subnet_Gateway

ip address 172.18.1.1 255.255.255.0

ip nat inside

ip inspect FIREWALL in

ip virtual-reassembly in

ip nat inside source list NAT_list interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 1.1.1.2

!

ip access-list standard NAT_list

permit 172.18.1.0 0.0.0.255

deny   any

!

ip access-list extended deny_all

deny   ip any any

My goal is to inspect inbound LAN traffic, which the firewall should then permit return traffic from the internet for, bypassing the inbound ACL on the WAN interface that denies all traffic.  I am remote to the site, so I cannot test the "true" LAN, but I have found that when I remove the inbound ACL on the WAN, I can ping the internet (8.8.8.8) no problem, sourcing from vlan 833, sitting on the router. However, when I have the inbound ACL on the WAN applied, I can no longer ping the internet (8.8.8.8), sitting on my router, sourcing from vlan 833.

Because of this, I can only assume that the same is true for the users at the location on the "true" LAN (i.e. behind the router, not sitting on it like I am).

Is this true? Or would I see a different outcome if I was testing from behind the router as opposed to sitting on it?

2 Replies 2

If you want to use ping, then you also need the ICMP-inspection. For traffic sourcing from the router, the inspection also has to be applied to the outside interface:

ip inspect name FIREWALL tcp router-traffic

ip inspect name FIREWALL udp router-traffic

ip inspect name FIREWALL icmp router-traffic

ip inspect name FIREWALL ftp

!

interface FastEthernet4

  ip access-group deny_all in

  ip inspect FIREWALL out

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Collin Clark
VIP Alumni
VIP Alumni

Packets entering the firewall are inspected by CBAC only if they first pass the inbound access list at the input interface and outbound access list at the output interface. If a packet is denied by the access list, the packet is simply dropped and not inspected by CBAC.

Review Cisco Networking for a $25 gift card