07-02-2003 12:34 AM - edited 03-02-2019 08:33 AM
I"m trying to analyze traffice through a Cisco 1720 so I can finalize the ACL's to protect the network. Ethernet-0 is connected to the DSL modem, Ethernet-1 is connected to the DMZ network and the FastEthernet-0 is connected to the private network. I'm basically blocking all inbound traffic from the public side except DNS responses, WEB and return traffic from inside activity, but I'm allowing all traffice across the other interfaces in such a way to log activity. Here are snippets from the config files.
!
! Set up logging
!
logging on
logging 192.168.1.13
logging trap debugging
no logging buffered
no logging console
no logging facility
no logging history size
no logging rate-limit
!
! Set interface addresses
!
interface Ethernet0
description Public static IP interface
no ip address
ip address 207.225.227.225 255.255.255.248
ip address 207.225.227.226 255.255.255.248 secondary
ip address 207.225.227.227 255.255.255.248 secondary
ip address 207.225.227.229 255.255.255.248 secondary
ip nat outside
full-duplex
no shutdown
exit
interface Ethernet1
description DMZ network interface
no ip address
ip address 192.168.2.1 255.255.255.0
ip nat inside
full-duplex
no shutdown
exit
interface FastEthernet0
description Private network interface
no ip address
ip address 192.168.1.1 255.255.255.0
ip nat inside
full-duplex
speed auto
no shutdown
exit
!
! Establish default route out
!
ip default-gateway 207.225.227.230
ip route 0.0.0.0 0.0.0.0 207.225.227.230 permanent
!
! Set up NAT from internal networks to public IP pool
!
no ip access-list standard All-Internal-Interfaces
no ip access-list extended All-Internal-Interfaces
ip access-list extended All-Internal-Interfaces
permit tcp any any established log
permit icmp 192.168.001.000 000.000.000.255 any log
permit tcp 192.168.001.000 000.000.000.255 any range 1 65535 log
permit udp 192.168.001.000 000.000.000.255 any range 1 65535 log
permit icmp 192.168.002.000 000.000.000.255 any log
permit tcp 192.168.002.000 000.000.000.255 any range 1 65535 log
permit udp 192.168.002.000 000.000.000.255 any range 1 65535 log
deny ip any any log
exit
!
ip nat pool Public-Interface-NAT 207.225.227.229 207.225.227.229 netmask 255.255.255.248
ip nat inside source list All-Internal-Interfaces pool Public-Interface-NAT overload
!
! Set up NAT from public to assigned DMZ addresses
!
ip nat inside source static 192.168.002.003 207.225.227.225
ip nat inside source static 192.168.002.004 207.225.227.226
ip nat inside source static 192.168.002.005 207.225.227.227
!!!!!!!!!!
! PUBLIC !
!!!!!!!!!!
no ip access-list extended Public-Interface-IN
ip access-list extended Public-Interface-IN
permit icmp any any log
! -- Allowed traffic to web server
permit tcp any host 207.225.227.225 eq WWW log
permit tcp any host 207.225.227.225 eq 443 log
! -- Allow DNS replies back to the NAT pool ports
permit udp any eq DOMAIN host 207.225.227.229 log
! -- Allow established connections through NAT pool ports
permit tcp any host 207.225.227.229 established log
exit
no ip access-list extended Public-Interface-OUT
ip access-list extended Public-Interface-OUT
permit tcp any any range 1 65535 log
permit udp any any range 1 65535 log
permit icmp any any log
exit
interface Ethernet 0
ip access-group Public-Interface-IN in
ip access-group Public-Interface-OUT out
exit
!!!!!!!
! DMZ !
!!!!!!!
no ip access-list extended DMZ-Interface-IN
ip access-list extended DMZ-Interface-IN
permit tcp any any established log
permit tcp any any range 1 65535 log
permit udp any any range 1 65535 log
permit icmp any any log
exit
no ip access-list extended DMZ-Interface-OUT
ip access-list extended DMZ-Interface-OUT
permit tcp any any range 1 65535 log
permit udp any any range 1 65535 log
permit icmp any any log
exit
interface Ethernet 1
ip access-group DMZ-Interface-IN in
ip access-group DMZ-Interface-OUT out
exit
!!!!!!!!!!!
! Private !
!!!!!!!!!!!
no ip access-list extended Private-Interface-IN
ip access-list extended Private-Interface-IN
permit tcp any any established log
permit tcp any any range 1 65535 log
permit udp any any range 1 65535 log
permit icmp any any log
exit
no ip access-list extended Private-Interface-OUT
ip access-list extended Private-Interface-OUT
permit tcp any any range 1 65535 log
permit udp any any range 1 65535 log
permit icmp any any log
exit
interface FastEthernet 0
ip access-group Private-Interface-IN in
ip access-group Private-Interface-OUT out
exit
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Here are my questions
1) Since traffic through the router has to traverse through two interfaces, why does it only send one entry to syslog? ie. a web reqest from the outside has to pass Inbound through the Public interface (Public-Interface-IN ACL) then pass Outbound through the DMZ interface (DMZ-Interface-OUT ACL) to reach the web server, Shouldn't Logging create an entry for both interfaces, since each one has an ACL in effect and one rule must be matched on each. Why do I only see one entry instead of two in syslog?
2) i often see a lot of "access-list logging rate-limited or missed XX packets". Does this mean that there was actual packets that didn't get passed through the router? Or does it mean that there are some packet traffic that should have generated log entries but didn't get logged? While currently in this testing environment, so I know it's not being overloaded. Is there any way to fix this so that (either packets or log messages) are not dropped?
Thanks
07-08-2003 08:32 AM
1. I guess that is the correct way...only one entry in syslog....
2. not sure
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide