01-14-2015 12:29 PM - edited 03-11-2019 10:20 PM
Hi All,
I have a question around the permit ip any any statement on an inbound ACL when using NAT. Is it safe? If I take the statement out of my list I can't do anything.
Example:
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.1.1 255.255.255.192
ip access-group IN_OUT_VLAN10 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
end
ip access-list extended IN_OUT_VLAN10
permit udp any any eq bootpc
permit udp any any eq bootps
deny ip 192.168.1.0 0.0.0.63 192.168.1.64 0.0.0.63
deny ip 192.168.1.0 0.0.0.63 192.168.1.128 0.0.0.63
deny ip 192.168.1.0 0.0.0.63 192.168.1.192 0.0.0.63
permit ip any any
Above list is to block my internal subnets*
interface Dialer1
mtu 1492
ip address negotiated
ip access-group OUTSIDE_INSIDE in
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast source reachable-via rx allow-default 100
ip nat outside
ip inspect IN_OUT_CBAC out
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no keepalive
ppp authentication chap callin
ppp chap hostname ******
ppp chap password ******
no cdp enable
end
ip access-list extended OUTSIDE_INSIDE
remark OUTSIDE_INSIDE_ALLOW
remark *****
permit tcp host ********* any eq 22 log-input
remark ***********
permit tcp host ************* any eq 22 log-input
remark *********
permit tcp host ************* any eq 22 log-input
remark OUTSIDE_INSIDE_BLOCK
deny icmp any any echo
deny icmp any any echo-reply
deny tcp any any eq 22 log-input
deny udp any any eq 22 log-input
deny tcp any any eq telnet log-input
deny udp any any eq 23 log-input
permit ip any any <<<<< Without this here I have no traffic*
ip nat inside source list VLAN10_OUTSIDE interface Dialer1 overload
ip inspect name IN_OUT_CBAC tcp
ip inspect name IN_OUT_CBAC udp
ip inspect name IN_OUT_CBAC icmp
Above is a basic firewall for outbound connections and returning traffic** (I hope)
My question is do I need to put every single port I want to allow in and out in even though I am using NAT? It will be an insane list especially with gaming as XBOX uses random ports each time. I don't have any static NAT entries so when I do a port scan they are all closed as expected except 22 and 23 which I have closed only to specific hosts. Does IP here mean basically IP as in routing addresses etc (which would make sense) or does it mean the entire TCP/IP suite like TCP and UDP ports etc..
This has confused me so long I thought I would ask.. I see it on a lot of SMB routers with ADSL etc using NAT..
Thank you kindly everyone.
Solved! Go to Solution.
01-16-2015 09:35 AM
You should not have to do that. CBAC should take care of all that stuff for you.
01-15-2015 07:05 AM
You should not have to put in the ip any any statement. Can you post the acl VLAN10_OUTSIDE?
01-15-2015 10:33 AM
Extended IP access list VLAN10_OUTSIDE
10 permit ip 192.168.1.0 0.0.0.63 any (7459 matches)
20 deny ip any any (11814 matches)
thanks for response, above is the requested :-)
01-15-2015 10:36 AM
sorry and by my access list I mean VLAN10 going to outside... Just my wording ;-)
01-15-2015 10:51 AM
Can you post a sanitized "show ip inspect all"?
01-15-2015 10:57 AM
Established Sessions
Session 29F5EA3C (192.168.1.198:55435)=>(X.X.X.X:5671) tcp SIS_OPEN
Session 29F4FD0C (192.168.1.15:49941)=>(X.X.X.X.:443) tcp SIS_OPEN
Session 29F5A0EC (192.168.1.15:49943)=>(X.X.X.X:443) tcp SIS_OPEN
Session 29F5CE34 (192.168.1.26:52537)=>(X.X.X.X:5223) tcp SIS_OPEN
Session 29F505AC (192.168.1.15:49940)=>(X.X.X.X:443) tcp SIS_OPEN
Session 29F5B454 (192.168.1.15:49158)=>(X.X.X.X:443) tcp SIS_OPEN
Session 29F5BACC (192.168.1.15:49944)=>(X.X.X.X:443) tcp SIS_OPEN
Session 29F52EA4 (192.168.1.14:61670)=>(X.X.X.X:443) tcp SIS_OPEN
Session 29F5B67C (192.168.1.14:62041)=>(X.X.X.X:80) tcp SIS_OPEN
Session 29F50E4C (192.168.1.15:49946)=>(X.X.X.X:443) tcp SIS_OPEN
Session 29F5F2DC (192.168.1.15:49947)=>(X.X.X.X:443) tcp SIS_OPEN
Session 29F5B8A4 (192.168.1.15:49945)=>(X.X.X.X:443) tcp SIS_OPEN
Session 29F52A54 (192.168.1.15:49265)=>(X.X.X.X:80) tcp SIS_OPEN
Session 29F5C9E4 (192.168.1.13:57579)=>(X.X.X.X:5223) tcp SIS_OPEN
Session 29F5DB24 (192.168.1.15:49938)=>(X.X.X.X:443) tcp SIS_OPEN
Session 29F577F4 (192.168.1.15:49939)=>(X.X.X.X:443) tcp SIS_OPEN
Session 29F5E19C (192.168.1.19:50431)=>(X.X.X.X:443) tcp SIS_OPEN
Session 29F5B22C (192.168.1.15:49942)=>(X.X.X.X:443) tcp SIS_OPEN
01-15-2015 11:01 AM
Can I get all of it please?
01-15-2015 11:13 PM
Sorry Colin, here we are
#sh ip inspect all
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [unlimited : unlimited] connections
max-incomplete sessions thresholds are [unlimited : unlimited]
max-incomplete tcp connections per host is unlimited. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name IN_OUT_CBAC
tcp alert is on audit-trail is off timeout 3600
udp alert is on audit-trail is off timeout 30
icmp alert is on audit-trail is off timeout 10
Interface Configuration
Interface Dialer1
Inbound inspection rule is not set
Outgoing inspection rule is IN_OUT_CBAC
tcp alert is on audit-trail is off timeout 3600
udp alert is on audit-trail is off timeout 30
icmp alert is on audit-trail is off timeout 10
Inbound access list is OUTSIDE_INSIDE
Outgoing access list is not set
Established Sessions
Session 29F5EA3C (192.168.1.198:55435)=>(54.194.173.224:5671) tcp SIS_OPEN
Session 29F5282C (192.168.1.14:62790)=>(54.243.233.199:443) tcp SIS_OPEN
Session 29F4FAE4 (192.168.1.14:62795)=>(17.110.224.20:443) tcp SIS_OPEN
Session 29F51914 (192.168.1.13:58339)=>(65.20.0.43:993) tcp SIS_OPEN
Session 29F54CD4 (192.168.1.13:58341)=>(65.20.0.43:993) tcp SIS_OPEN
Session 29F5E5EC (192.168.1.13:58340)=>(65.20.0.43:993) tcp SIS_OPEN
Session 29F52A54 (192.168.1.13:58314)=>(17.172.239.80:443) tcp SIS_OPEN
Session 29F5C36C (192.168.1.17:49964)=>(157.55.236.97:443) tcp SIS_OPEN
Session 29F4FF34 (192.168.1.14:62797)=>(216.157.12.18:80) tcp SIS_OPEN
Session 29F5DF74 (192.168.1.14:62723)=>(69.171.235.48:443) tcp SIS_OPEN
Session 29F5534C (192.168.1.14:62794)=>(66.117.29.37:443) tcp SIS_OPEN
Session 29F5F2DC (192.168.1.14:62793)=>(81.144.168.143:443) tcp SIS_OPEN
Session 29F52EA4 (192.168.1.18:53043)=>(17.110.226.11:443) tcp SIS_OPEN
01-16-2015 08:57 AM
Strange. Everything looks to be configured and working correctly. Let me make sure I understand the issue. When you remove permit ip any any from the ACL all traffic to the internet stops working?
01-16-2015 08:58 AM
That is correct yes
01-16-2015 09:01 AM
Can you remove 'permit ip any any' and put in 'deny ip any any log'? Try a webpage, then send the log please.
01-16-2015 09:06 AM
000507: Jan 16 16:59:37.377 gmt: %SEC-6-IPACCESSLOGP: list OUTSIDE_INSIDE denied udp 8.26.56.26(53) -> 86.167.1X.X(51878), 1 packet
000508: Jan 16 16:59:38.377 gmt: %SEC-6-IPACCESSLOGP: list OUTSIDE_INSIDE denied udp 8.20.247.20(53) -> 86.167.X.X(64572), 1 packet
DNS issue?
01-16-2015 09:08 AM
It would appear I fixed it hahah, no 100, 100 permit udp any any eq 53
Now all working :-)
01-16-2015 09:13 AM
Actually cancel that... only cached pages :-( working..
01-16-2015 09:19 AM
Looks like CBAC is not working correctly. Here's my CBAC config from a working router.
ip inspect max-incomplete high 8000
ip inspect max-incomplete low 7900
ip inspect one-minute low 7900
ip inspect one-minute high 8000
ip inspect udp idle-time 360
ip inspect dns-timeout 10
ip inspect tcp idle-time 7200
ip inspect tcp finwait-time 10
ip inspect tcp max-incomplete host 1000 block-time 0
ip inspect tcp reassembly queue length 1024
ip inspect tcp reassembly timeout 60
ip inspect tcp reassembly memory limit 256000
ip inspect name IN_OUT_CBAC icmp
ip inspect name IN_OUT_CBAC http
ip inspect name IN_OUT_CBAC https
ip inspect name IN_OUT_CBAC tcp
ip inspect name IN_OUT_CBAC udp
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide