Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
558
Views
0
Helpful
3
Replies

ACL problem

a-craick
Level 1
Level 1

‎03-29-2005 02:40 PM - edited ‎02-20-2020 09:27 PM

I have setup some acl's on my 837 router to secure the router but allow me to access outside hosts from the ethernet interface.

I have writen an ACL as follows and applied to the dialer 0 interfaces (since its PPOE) some data has been moved for size;

access-list 101 permit udp host 192.231.203.3 eq domain any

access-list 101 permit udp host 192.231.203.132 eq domain any

access-list 101 deny ip 192.168.1.0 0.0.0.255 any

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any unreachable

access-list 101 remark Allow Bittorrent Incoming

access-list 101 permit tcp any host [removed] range 6890 6900

access-list 101 remark Allowing FTP incoming

access-list 101 permit tcp any host [removed] eq ftp

access-list 101 remark Allow FTP data incoming

access-list 101 permit tcp any host [removed] eq ftp-data

access-list 101 remark EDonkey TCP allow incoming

access-list 101 permit tcp any host [removed] eq 4662

access-list 101 remark Edonkey UDP allow incoming

access-list 101 permit udp any host [removed] eq 4672

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip host 0.0.0.0 any

access-list 101 deny ip any any log

The problem is that if i do a show access list 101 i get the following ;

Extended IP access list 101

permit tcp host 69.56.245.141 eq www host [removed] eq 4266 (6 matches)

permit tcp host 69.56.245.141 eq www host [removed] eq 4199 (6 matches)

permit tcp host 69.56.245.141 eq www host [removed] eq 4156 (6 matches)

permit tcp host 69.56.245.141 eq www host [removed] eq 4112 (6 matches)

permit tcp host 69.56.245.141 eq www host [removed] eq 4104 (6 matches)

permit tcp host 69.56.245.141 eq www host [removed] eq 4090 (6 matches)

permit tcp host 69.56.245.141 eq www host [removed] eq 4056 (6 matches)

permit tcp host 69.56.245.141 eq www host [removed] eq 3927 (6 matches)

permit tcp host 69.56.245.141 eq www host [removed] eq 3765 (6 matches)

permit tcp host 69.56.245.141 eq www host [removed] eq 3728 (6 matches)

permit tcp host 69.56.245.141 eq www host [removed] eq 3724 (6 matches)

permit tcp host 68.203.198.230 eq 10333 host [removed] eq 3929 (1807 matches)

permit tcp host 68.190.95.248 eq 49152 host [removed] eq 3973 (2456 matches)

permit tcp host 69.201.86.1 eq 6890 host [removed] eq 3914 (2322 matches)

permit tcp host 216.27.178.33 eq 25000 host [removed] eq 3964 (2413 matches)

permit tcp host 202.72.175.12 eq 29990 host [removed] eq 3960 (2095 matches)

permit tcp host 82.143.195.95 eq 50000 host [removed] eq 3882 (1723 matches)

permit tcp host 71.34.106.218 eq 10029 host [removed] eq 3898 (2404 matches)

permit tcp host 62.3.254.160 eq 49160 host [removed] eq 3958 (2250 matches)

permit tcp host 83.149.101.146 eq www host [removed] eq 4176 (6 matches)

permit tcp host 83.149.101.146 eq www host [removed] eq 4150 (9 matches)

permit tcp host 83.149.101.146 eq www host [removed] eq 4115 (6 matches)

permit tcp host 83.149.101.146 eq www host [removed] eq 4109 (6 matches)

permit tcp host 83.149.101.146 eq www host [removed] eq 4108 (6 matches)

permit tcp host 83.149.101.146 eq www host [removed] eq 4006 (6 matches)

permit tcp host 83.149.101.146 eq www host [removed] eq 3889 (6 matches)

permit tcp host 83.149.101.146 eq www host [removed] eq 3730 (9 matches)

permit tcp host 83.149.101.146 eq www host [removed] eq 3727 (6 matches)

permit tcp host 83.149.101.146 eq www host [removed] eq 3725 (6 matches)

permit tcp host 83.149.101.146 eq www host [removed] eq 3723 (9 matches)

For some reason this access list shows extra entrys that i never entered in the access list. Is it possible that the router has been compromised or are they dynamic ACL entries made by NAT or by IP Inspect ?

regards

Labels:
0 Helpful
3 Replies 3

mhussein
Level 4
Level 4

‎03-29-2005 11:26 PM

Hello,

I believe these are dynamic entries made by "ip inspect"/CBAC. The way this works, roughly:

1. On the web browser, you type http://www.google.com

2. the pc sends dns request to the dns server to resolve the ip address

3. the dns server replies that http://www.google.com ip address is 216.239.63.99 (google has many ip addresses!)

4. the pc send a tcp syn request to 216.239.63.99 destination port 80 (www). The pc's tcp source port number is chosen at random, usually > 1024. Let's say port 2000 in this scenario.

5. CBAC's "ip inspect" records this information, and modifies the access-list on anticipation for the reply packet from the web server. CBAC adds this entry:

permit tcp host 216.239.63.99 eq www host [public ip] eq 2000

6. the google web server replies back. server's source port 80, and the destination is your public ip address port 2000 on the dialer interface.

7. Now the router recieves this packet at the dialer interface and checks access-list 101 to see if it is permitted.

8. if this was normal "static" access-list, the packet would've been dropped.

9. CBAC checks the tcp port numbers and the tcp sequence numbers.

10. CBAC determines the packet from the web server is a reply to a request sent from the inside network.

11. the reply packet is allowed in, forwarded to the pc.

12. the pc continues exchanging packets with the web server (same port numbers). The access-list dynamic entry stays open.

13. after the browsing session is over, CBAC removes the dynamic access-list entry. (CBAC determines the session is over when it sees a tcp RST or session is idle for a certain period).

So, everytime you browse a web site, its ip address is displayed in the "show ip access-list" output ;)

This explained here more elaborately:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfcbac.htm#wp1000988

Please let us know if that helped.

Regards,

Mustafa

0 Helpful

a-craick
Level 1
Level 1
In response to mhussein

‎03-31-2005 10:21 PM

thanks Mustafa.

That makes sense reading that document and your comments.

regards

0 Helpful

sjones7000
Level 1
Level 1
In response to mhussein

‎04-05-2007 05:46 AM

What would be a reason you cant see the dynamic entries?

I have CBAC appiled on an outgoing interface and on the same interface an incoming access-list. I know the CBAC works as i see many entries under sh ip inspect session and also if I remove CBAC from the interface and leave only the incoming access-list I cant get out.

And yet I see no dynamic entries at all with sh access-lists or sh ip access-lists.

I am running 12.4.11.

One difference I see between me and the original poster is that I have line numbers next to each entry and he does not.

Any way to see these dynamic entries?

0 Helpful
Customers Also Viewed These Support Documents