Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1623
Views
0
Helpful
5
Comments

887VA - cant get ACLs to work.

Jiess
Level 1
Level 1

on ‎05-14-2020 10:43 AM

Question

I have configured a 887VA router but I cant get the ACL to work. What I want is to let anything out to the Internet and nothing in from Internet. The ACL I have permits ping out to internet but nothing else and when I add ex. https to the ACL I noticed that it also opened up for https traffic from Internet to the routers public IP.... Any help would be appreciated.

 

Here is the config:

 

version 15.7
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname adslrouter
!
ip domain name localdomain
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
username xxxxx
!
controller VDSL 0
!
bridge irb
!
interface Ethernet0
no ip address
shutdown
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0.35 point-to-point
description PrimaryWAN
no ip redirects
no ip unreachables
no ip proxy-arp
bridge-group 1
pvc 8/35
tx-ring-limit 2
encapsulation aal5snap
!
!
interface FastEthernet0
description InsideInterface
switchport access vlan 301
no ip address
!
interface FastEthernet1
switchport access vlan 301
no ip address
!
interface FastEthernet2
switchport access vlan 301
no ip address
!
interface FastEthernet3
switchport access vlan 301
no ip address
!
interface Vlan1
no ip address
!
interface Vlan100
description LAN inside interface
ip address dhcp
ip nat inside
ip virtual-reassembly in
!
interface Vlan301
description IoT Interface
ip address 192.168.1.2 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
hold-queue 100 out
!
interface BVI1
ip address dhcp
ip access-group IPFW-ACL in
ip nat outside
ip virtual-reassembly in
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source list NAT-ACL interface BVI1 overload
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip access-list standard VTY-ACL
permit 192.168.1.0 0.0.0.255
!
ip access-list extended IPFW-ACL
permit icmp any any administratively-prohibited
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any traceroute
permit udp 90.xxx.xxx.0 0.0.0.255 any log
deny ip any any log
ip access-list extended NAT-ACL
permit ip 192.168.1.0 0.0.0.255 any
!
ipv6 ioam timestamp
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class VTY-ACL in
login local
transport input ssh
!
ntp server 192.168.1.50 source Vlan301
!
end

 

Labels:
0 Helpful
Comments
Hector Gustavo Serrano Gutierrez
Cisco Employee
Cisco Employee
‎05-14-2020 11:52 AM

Hi @Jiess,

Looking at the configuration, your Router is doing NAT (more specifically PAT) which is inherently already doing what you are asking. This is, traffic generated from a host in your LAN side ingresses the Router's LAN interface (interface Vlan100 or interface Vlan301) and egresses the WAN interface (interface BVI1) towards the Internet. These traffic flows are recorded in the NAT stateful table (show ip nat translations). For the return traffic, this NAT stateful table allows the traffic to be translated back to your original private IP in the LAN side.

On the other hand, traffic generated from the Internet can only reach your WAN IP since you mentioned it is a Public IP. This traffic cannot directly hit a host in the LAN side unless you explicitly configure a Static NAT translation to do so.

 

Going back to your original question, ACLs are stateless rules. This means you need to allow the traffic in both directions (in and out)

With your current configuration, you are blocking ALL traffic coming to your Router's WAN interface with the exception of UDP traffic sourced from 90.xxx.xxx.0.

Likely, hosts in the LAN side of your Router generating traffic cannot receive responses due to this.

 

HTHs

Jiess
Level 1
Level 1
‎05-14-2020 01:14 PM

Hello and thank you for your answer!
""For the return traffic, this NAT stateful table allows the traffic to be translated back to your original private IP in the LAN side.""

* Yes, this works using ICMP but no other protocol. I added a line for https to the ACL but that also opened up for https to the Routers WAN IP for traffic initiated from Internet, so I must be doing something wrong.

What do I need to do to allow any LAN-side generated traffic also to receive responses without opening up for traffic to the Router WAN IP initiated from Internet?
Thanks.
Regards, Jiess

Jiess
Level 1
Level 1
‎05-14-2020 09:47 PM

Hi!

I found this excellent short article that explained what i needed to do to get it to work: https://www.cisco.com/en/US/docs/routers/access/800/850/software/configuration/guide/firewall.html

Case closed.

Thanks @Hector Gustavo Serrano Gutierrez  for your input.

 

Regards,

Jiess

Hector Gustavo Serrano Gutierrez
Cisco Employee
Cisco Employee
‎05-15-2020 01:00 AM

Thanks for the feedback @Jiess,

 

You may also consider Cisco Zone-Based Firewall (ZBF)

Zone-Based Policy Firewall Design and Application Guide

 

For instance:

 

access-list 101 permit ip 192.168.1.0 0.0.0.255 any
!
class-map type inspect match-all all-private
 match access-group 101
!         
policy-map type inspect priv-pub-pmap
 class type inspect all-private
  inspect
 class class-default
!
zone security private
zone security public
zone-pair security priv-pub source private destination public
 service-policy type inspect priv-pub-pmap
! 
interface BVI1
 ip address 172.16.108.44 255.255.255.0
 zone-member security public
!
interface Vlan301
 zone-member security private
!

 

 

There are different approaches to accomplish stateful packet inspection in Cisco IOS.

Ordered from oldest (least recommended) to newest (recommended):

 

1) Add the established keyword at the end of the ACL permit TCP statement. This option is not available for UDP nor ICMP traffic types. The parameter indicates the Router to allow TCP packets based on whether the ACK or RST bits are set. Set ACK or RST bits indicate that the packet is not the first in the session, and therefore, that the packet belongs to an established session.

 

2) Reflexive Access Lists

A reflexive access list is triggered when a new IP upper-layer session (such as TCP or UDP) is initiated from inside your network, with a packet traveling to the external network. When triggered, the reflexive access list generates a new, temporary entry. This entry will permit traffic to enter your network if the traffic is part of the session, but will not permit traffic to enter your network if the traffic is not part of the session.

 

3) Cisco IOS Firewall

This is the option that worked fine for you.

 

4) Cisco Zone-Based Firewall (ZBF)

Reassembles more to a usual Firewall since you can separate different interfaces into Zones.

 

Regards.

Jiess
Level 1
Level 1
‎05-21-2020 01:15 PM

Thank you @Hector Gustavo Serrano Gutierrez for your input, much appreciated!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents