cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5633
Views
0
Helpful
21
Replies

permit ip any any

James Saunders
Level 1
Level 1

Hi All,

 

I have a question around the permit ip any any statement on an inbound ACL when using NAT. Is it safe? If I take the statement out of my list I can't do anything.

 

Example:

interface GigabitEthernet0/0.10
 encapsulation dot1Q 10
 ip address 192.168.1.1 255.255.255.192
 ip access-group IN_OUT_VLAN10 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
end

ip access-list extended IN_OUT_VLAN10
 permit udp any any eq bootpc
 permit udp any any eq bootps
 deny   ip 192.168.1.0 0.0.0.63 192.168.1.64 0.0.0.63
 deny   ip 192.168.1.0 0.0.0.63 192.168.1.128 0.0.0.63
 deny   ip 192.168.1.0 0.0.0.63 192.168.1.192 0.0.0.63
 permit ip any any

Above list is to block my internal subnets*

interface Dialer1
  mtu 1492
 ip address negotiated
 ip access-group OUTSIDE_INSIDE in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip verify unicast source reachable-via rx allow-default 100
 ip nat outside
 ip inspect IN_OUT_CBAC out
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 no keepalive
 ppp authentication chap callin
 ppp chap hostname ******
 ppp chap password ******
 no cdp enable
end

ip access-list extended OUTSIDE_INSIDE
 remark OUTSIDE_INSIDE_ALLOW
 remark *****
 permit tcp host ********* any eq 22 log-input
 remark ***********
 permit tcp host ************* any eq 22 log-input
 remark *********
 permit tcp host ************* any eq 22 log-input
 remark OUTSIDE_INSIDE_BLOCK
 deny   icmp any any echo
 deny   icmp any any echo-reply
 deny   tcp any any eq 22 log-input
 deny   udp any any eq 22 log-input
 deny   tcp any any eq telnet log-input
 deny   udp any any eq 23 log-input

 permit ip any any <<<<< Without this here I have no traffic*
 

ip nat inside source list VLAN10_OUTSIDE interface Dialer1 overload

ip inspect name IN_OUT_CBAC tcp
ip inspect name IN_OUT_CBAC udp
ip inspect name IN_OUT_CBAC icmp

Above is a basic firewall for outbound connections and returning traffic** (I hope)

My question is do I need to put every single port I want to allow in and out in even though I am using NAT? It will be an insane list especially with gaming as XBOX uses random ports each time. I don't have any static NAT entries so when I do a port scan they are all closed as expected except 22 and 23 which I have closed only to specific hosts. Does IP here mean basically IP as in routing addresses etc (which would make sense) or does it mean the entire TCP/IP suite like TCP and UDP ports etc..

This has confused me so long I thought I would ask.. I see it on a lot of SMB routers with ADSL etc using NAT..

Thank you kindly everyone.

 

 

 

 

 

 

 

 

 

1 Accepted Solution

Accepted Solutions

You should not have to do that. CBAC should take care of all that stuff for you.

View solution in original post

21 Replies 21

Collin Clark
VIP Alumni
VIP Alumni

You should not have to put in the ip any any statement. Can you post the acl VLAN10_OUTSIDE?

Extended IP access list VLAN10_OUTSIDE
    10 permit ip 192.168.1.0 0.0.0.63 any (7459 matches)
    20 deny ip any any (11814 matches)

 

thanks for response, above is the requested :-)

sorry and by my access list I mean VLAN10 going to outside... Just my wording ;-)

Can you post a sanitized "show ip inspect all"?

Established Sessions
 Session 29F5EA3C (192.168.1.198:55435)=>(X.X.X.X:5671) tcp SIS_OPEN
 Session 29F4FD0C (192.168.1.15:49941)=>(X.X.X.X.:443) tcp SIS_OPEN
 Session 29F5A0EC (192.168.1.15:49943)=>(X.X.X.X:443) tcp SIS_OPEN
 Session 29F5CE34 (192.168.1.26:52537)=>(X.X.X.X:5223) tcp SIS_OPEN
 Session 29F505AC (192.168.1.15:49940)=>(X.X.X.X:443) tcp SIS_OPEN
 Session 29F5B454 (192.168.1.15:49158)=>(X.X.X.X:443) tcp SIS_OPEN
 Session 29F5BACC (192.168.1.15:49944)=>(X.X.X.X:443) tcp SIS_OPEN
 Session 29F52EA4 (192.168.1.14:61670)=>(X.X.X.X:443) tcp SIS_OPEN
 Session 29F5B67C (192.168.1.14:62041)=>(X.X.X.X:80) tcp SIS_OPEN
 Session 29F50E4C (192.168.1.15:49946)=>(X.X.X.X:443) tcp SIS_OPEN
 Session 29F5F2DC (192.168.1.15:49947)=>(X.X.X.X:443) tcp SIS_OPEN
 Session 29F5B8A4 (192.168.1.15:49945)=>(X.X.X.X:443) tcp SIS_OPEN
 Session 29F52A54 (192.168.1.15:49265)=>(X.X.X.X:80) tcp SIS_OPEN
 Session 29F5C9E4 (192.168.1.13:57579)=>(X.X.X.X:5223) tcp SIS_OPEN
 Session 29F5DB24 (192.168.1.15:49938)=>(X.X.X.X:443) tcp SIS_OPEN
 Session 29F577F4 (192.168.1.15:49939)=>(X.X.X.X:443) tcp SIS_OPEN
 Session 29F5E19C (192.168.1.19:50431)=>(X.X.X.X:443) tcp SIS_OPEN
 Session 29F5B22C (192.168.1.15:49942)=>(X.X.X.X:443) tcp SIS_OPEN

Can I get all of it please?

Sorry Colin, here we are

 

#sh ip inspect all
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [unlimited : unlimited] connections
max-incomplete sessions thresholds are [unlimited : unlimited]
max-incomplete tcp connections per host is unlimited. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 5 sec
Inspection Rule Configuration
 Inspection name IN_OUT_CBAC
    tcp alert is on audit-trail is off timeout 3600
    udp alert is on audit-trail is off timeout 30
    icmp alert is on audit-trail is off timeout 10

Interface Configuration
 Interface Dialer1
  Inbound inspection rule is not set
  Outgoing inspection rule is IN_OUT_CBAC
    tcp alert is on audit-trail is off timeout 3600
    udp alert is on audit-trail is off timeout 30
    icmp alert is on audit-trail is off timeout 10
  Inbound access list is OUTSIDE_INSIDE
  Outgoing access list is not set

Established Sessions
 Session 29F5EA3C (192.168.1.198:55435)=>(54.194.173.224:5671) tcp SIS_OPEN
 Session 29F5282C (192.168.1.14:62790)=>(54.243.233.199:443) tcp SIS_OPEN
 Session 29F4FAE4 (192.168.1.14:62795)=>(17.110.224.20:443) tcp SIS_OPEN
 Session 29F51914 (192.168.1.13:58339)=>(65.20.0.43:993) tcp SIS_OPEN
 Session 29F54CD4 (192.168.1.13:58341)=>(65.20.0.43:993) tcp SIS_OPEN
 Session 29F5E5EC (192.168.1.13:58340)=>(65.20.0.43:993) tcp SIS_OPEN
 Session 29F52A54 (192.168.1.13:58314)=>(17.172.239.80:443) tcp SIS_OPEN
 Session 29F5C36C (192.168.1.17:49964)=>(157.55.236.97:443) tcp SIS_OPEN
 Session 29F4FF34 (192.168.1.14:62797)=>(216.157.12.18:80) tcp SIS_OPEN
 Session 29F5DF74 (192.168.1.14:62723)=>(69.171.235.48:443) tcp SIS_OPEN
 Session 29F5534C (192.168.1.14:62794)=>(66.117.29.37:443) tcp SIS_OPEN
 Session 29F5F2DC (192.168.1.14:62793)=>(81.144.168.143:443) tcp SIS_OPEN
 Session 29F52EA4 (192.168.1.18:53043)=>(17.110.226.11:443) tcp SIS_OPEN

Strange. Everything looks to be configured and working correctly. Let me make sure I understand the issue. When you remove permit ip any any from the ACL all traffic to the internet stops working?

That is correct yes

Can you remove 'permit ip any any' and put in 'deny ip any any log'? Try a webpage, then send the log please.

000507: Jan 16 16:59:37.377 gmt: %SEC-6-IPACCESSLOGP: list OUTSIDE_INSIDE denied udp 8.26.56.26(53) -> 86.167.1X.X(51878), 1 packet  
000508: Jan 16 16:59:38.377 gmt: %SEC-6-IPACCESSLOGP: list OUTSIDE_INSIDE denied udp 8.20.247.20(53) -> 86.167.X.X(64572), 1 packet

 

DNS issue?

It would appear I fixed it hahah, no 100, 100 permit udp any any eq 53

Now all working :-)

Actually cancel that... only cached pages :-( working..

Looks like CBAC is not working correctly. Here's my CBAC config from a working router.

ip inspect max-incomplete high 8000
ip inspect max-incomplete low 7900
ip inspect one-minute low 7900
ip inspect one-minute high 8000
ip inspect udp idle-time 360
ip inspect dns-timeout 10
ip inspect tcp idle-time 7200
ip inspect tcp finwait-time 10
ip inspect tcp max-incomplete host 1000 block-time 0
ip inspect tcp reassembly queue length 1024
ip inspect tcp reassembly timeout 60
ip inspect tcp reassembly memory limit 256000
ip inspect name IN_OUT_CBAC icmp
ip inspect name IN_OUT_CBAC http
ip inspect name IN_OUT_CBAC https
ip inspect name IN_OUT_CBAC tcp
ip inspect name IN_OUT_CBAC udp

 

 

Review Cisco Networking for a $25 gift card