Problems removing ip inspect and it breaking Internet

aaron-fisher · ‎10-04-2010

Hi All,

Have 2 2800 series routers here that are at either of our sites. They had been setup with ip inspect statements for various traffic types however when we try and remove them completley they break various different protocols inlcuding web browsing, email etc. The reason for us wanting to remove these statements is to allow our users access to a one of our suppliers websites that its running on a non standard TCP port. Currently we cannot access it from our Head office location that runs a Fibre connection however our secondary site which has a Satelite internet connection can access this fine after modifying access lists in place on that router. With our Head office router there are no such access lists in place which is making this difficult to work out why.

I can post up configs with critical information removed if required and would appreciate any help.

Thanks

Aaron

Rudresh Veerappaji · ‎10-04-2010

Hi Aaron,

Please provide me with the configuation with the ip inspect still in place, so that i can analyze what the ip inspect was doing and how we can acheive this without ip inspect. A simple network diagram depicting the connection flow would also help.

Cheers,

Rudresh V

aaron-fisher · ‎10-04-2010

Hi Rudresh,

Please see below for config info minus certain details, if you need more details regarding config let me know

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname HO-C2811
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 4096 warnings
logging console critical
enable secret

!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
aaa session-id common
clock timezone Perth 8
!
!
crypto pki trustpoint TP-self-signed-4024331455
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4024331455
revocation-check none
rsakeypair TP-self-signed-4024331455
!
!
crypto pki certificate chain TP-self-signed-4024331455
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
dot11 syslog
no ip source-route
!
!
ip cef
!
!
no ip bootp server
ip domain name magmetals.com
ip name-server 203.161.127.1
ip name-server 203.153.224.42
ip ips name sdm_ips_rule
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp router-traffic
ip inspect name SDM_LOW udp router-traffic
ip inspect name SDM_LOW vdolive
no ipv6 cef
ntp update-calendar
ntp server 203.31.84.4
ntp server 192.189.54.17 prefer source FastEthernet0/1
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
!
!

!
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description Internal Corporate Lan$FW_INSIDE$$ETH-LAN$
ip address 192.168.3.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
duplex full
speed 100
no mop enabled
!
interface FastEthernet0/1
bandwidth 163840
ip address
ip access-group Internet_Filter in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
duplex full
speed 100
no mop enabled
!
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0/1/0
ip address 10.3.3.2 255.255.255.252
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
duplex full
speed 100
!
interface FastEthernet0/1/1
no ip address
shutdown
duplex auto
speed auto
!
!
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 gateway
ip route 10.3.3.4 255.255.255.252 10.3.3.1
ip route 192.168.2.0 255.255.255.0 10.3.3.1
no ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
!
!
ip nat inside source list NAT_Pool interface FastEthernet0/1 overload

I have also attached a brief network digram explaining traffic flow.

Thanks

Aaron

Rudresh Veerappaji · ‎10-05-2010

Hi Aaron,

Please let me know what kind of addresses are allowed in the following two access-lists:

Internet_Filter ----> controls access to packets coming from out to inside.

NAT_Pool ----->controls nating for certain traffic.

What inspection does when its in place is that, as an example, when a http packet (web traffic) comes from inside and leaves to outside, the router would create a temorary connection entry in its internal tables, to allow return traffic. In this case the access-list on the outside interface (Internet_Filter) is bypassed.

So when you remove the inspect for http, you need to explicitly allow required traffic (TCP- HTTP) from outside to inside. Similarily for other protocols like ESMTP (mail), FTP,etc that you use.

So you need to identify such traffic and append entries in the access-list Internet_Filter to allow traffic from out to inside. If possible please let me know how the above requested access-lists look like (probably you can mask certain octets).

Cheers,

Rudresh V

aaron-fisher · ‎10-05-2010

Hi Rudresh,

See Below

ip access-list extended NAT_Pool
permit ip 192.168.2.0 0.0.0.255 any
permit ip 192.168.3.0 0.0.0.255 any

ip access-list extended Internet_Filter
remark ### ANTI-SPOOFING RULES
deny   ip 10.0.0.0 0.255.255.255 any
deny   ip 172.16.0.0 0.15.255.255 any
deny   ip 192.168.0.0 0.0.255.255 any
deny   ip 127.0.0.0 0.255.255.255 any
deny   ip host 255.255.255.255 any
deny   ip host 0.0.0.0 any
remark ### ALLOW ACCESS TO SERVICES
permit tcp any host xxx.xxx.xxx.xxx eq 443
permit tcp any host xxx.xxx.xxx.xxx eq smtp
permit tcp any host xxx.xxx.xxx.xxx eq www
permit tcp any host xxx.xxx.xxx.xxx eq 22
permit tcp any host xxx.xxx.xxx.xxx eq ftp
permit tcp any host yyy.yyy.yyy.yyy eq 444
permit tcp any host yyy.yyy.yyy.yyy eq 443
permit tcp any host xxx.xxx.xxx.xxx eq 1494
permit tcp any host xxx.xxx.xxx.xxx eq 27063
permit tcp any host xxx.xxx.xxx.xxx eq 2598
permit tcp any host xxx.xxx.xxx.xxx eq 27048
permit tcp any host xxx.xxx.xxx.xxx eq lpd
permit tcp any host xxx.xxx.xxx.xxx eq 3389
permit udp any host xxx.xxx.xxx.xxx eq 515
permit tcp any host xxx.xxx.xxx.xxx eq 1723
permit tcp any host xxx.xxx.xxx.xxx eq 25017
remark ### ALLOW ICMP
permit icmp any host xxx.xxx.xxx.xxx echo-reply
permit icmp any host xxx.xxx.xxx.xxx time-exceeded
permit gre any host xxx.xxx.xxx.xxx
permit icmp any host xxx.xxx.xxx.xxx unreachable
remark ### DENY ALL OTHER AND LOG
deny   ip any any log

So from what you are saying by removing all traces of the ip inspect from the configuration it leaves an implicit deny in place which then means we need to setup an access list to allow outbound traffic? The access list Internet_Filter is only applied inbound on the Internet facing Fast Ethernet adapater.

Thanks

Aaron