Solved: You should not have to do - Page 2

James Saunders · ‎01-14-2015

Hi All,

I have a question around the permit ip any any statement on an inbound ACL when using NAT. Is it safe? If I take the statement out of my list I can't do anything.

Example:

interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.1.1 255.255.255.192
ip access-group IN_OUT_VLAN10 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
end

ip access-list extended IN_OUT_VLAN10
permit udp any any eq bootpc
permit udp any any eq bootps
deny   ip 192.168.1.0 0.0.0.63 192.168.1.64 0.0.0.63
deny   ip 192.168.1.0 0.0.0.63 192.168.1.128 0.0.0.63
deny   ip 192.168.1.0 0.0.0.63 192.168.1.192 0.0.0.63
permit ip any any

Above list is to block my internal subnets*

interface Dialer1
mtu 1492
ip address negotiated
ip access-group OUTSIDE_INSIDE in
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast source reachable-via rx allow-default 100
ip nat outside
ip inspect IN_OUT_CBAC out
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no keepalive
ppp authentication chap callin
ppp chap hostname ******
ppp chap password ******
no cdp enable
end

ip access-list extended OUTSIDE_INSIDE
remark OUTSIDE_INSIDE_ALLOW
remark *****
permit tcp host ********* any eq 22 log-input
remark ***********
permit tcp host ************* any eq 22 log-input
remark *********
permit tcp host ************* any eq 22 log-input
remark OUTSIDE_INSIDE_BLOCK
deny   icmp any any echo
deny   icmp any any echo-reply
deny   tcp any any eq 22 log-input
deny   udp any any eq 22 log-input
deny   tcp any any eq telnet log-input
deny   udp any any eq 23 log-input

permit ip any any <<<<< Without this here I have no traffic*

ip nat inside source list VLAN10_OUTSIDE interface Dialer1 overload

ip inspect name IN_OUT_CBAC tcp
ip inspect name IN_OUT_CBAC udp
ip inspect name IN_OUT_CBAC icmp

Above is a basic firewall for outbound connections and returning traffic** (I hope)

My question is do I need to put every single port I want to allow in and out in even though I am using NAT? It will be an insane list especially with gaming as XBOX uses random ports each time. I don't have any static NAT entries so when I do a port scan they are all closed as expected except 22 and 23 which I have closed only to specific hosts. Does IP here mean basically IP as in routing addresses etc (which would make sense) or does it mean the entire TCP/IP suite like TCP and UDP ports etc..

This has confused me so long I thought I would ask.. I see it on a lot of SMB routers with ADSL etc using NAT..

Thank you kindly everyone.

James Saunders · ‎01-16-2015

ok I applied that and was able to get to google but not access the pages.. Look like inboud acl is blocking UDP so I put permit udp any any on and that works

Collin Clark · ‎01-16-2015

You should not have to do that. CBAC should take care of all that stuff for you.

James Saunders · ‎01-18-2015

Thank you for your help on this Colin. I can confirm it is working now :-) The issue was because I am using NAT and have DNS forwarding setup my specific DNS server was not being allowed back in.

no 100 permit ip any any

100 permit udp host 8.26.56.26 eq 53 any

The cure was allowing that host DNS to all IP 's inside as the request was going out but getting blocked back in. My firewall is now also working.

Thank you for spending the time as it got me looking in the right direction.

James Saunders · ‎01-16-2015

I am at a loss on this.. Maybe if I put up the entire current config would help?

James Saunders · ‎01-18-2015

Post Deleted!!! ###RESOLVED####

James Saunders · ‎01-18-2015

.

James Saunders · ‎01-16-2015

Actually cancel that... only cached pages :-( working..