CBAC on a 3640 router

bradjones · ‎11-14-2005

I am attempting to implement a CBAC Firewall on my 3640 router running IOS image c3640-jk9o3s-mz.124-5.

Before implementing CBAC, I researched different configurations and have tried to adapt the examples to fit my environment.

The examples that I found included two (2) extended ACL’s – the first ACL would include all the desired services (i.e. DNS, HTTP, HTTPS, SMTP, FTP, etc.) and would be applied as an “outbound” ACL on the inside interface. My inside networks consist of several VLAN’s using the 192.168.x.0 networks.

ip access-list 110 extended

permit tcp 192.168.0.0 0.0.255.255 any eq domain

permit udp 192.168.0.0 0.0.255.255 any eq domain

permit tcp 192.168.0.0 0.0.255.255 any eq www

permit tcp 192.168.0.0 0.0.255.255 any eq 443

permit tcp 192.168.0.0 0.0.255.255 any eq 22

permit udp 192.168.0.0 0.0.255.255 any eq 22

permit tcp 192.168.0.0 0.0.255.255 any eq ftp

permit udp 192.168.0.0 0.0.255.255 any eq 20

permit udp 192.168.0.0 0.0.255.255 any eq 21

deny ip any any log

interface fastethernet 1/0

ip access-group 110 out

The second ACL (a dynamic ACL) would permit traffic that the router must process (i.e. GRE, SMTP to my mail server, MS VPN clients to the VPN server and ICMP), and would deny all other traffic including the traffic from ACL 110 as CBAC would be modifying this ACL on the fly.

ip access-list 111 extended

permit gre any any

permit tcp any host 206.47.125.41 eq 25

permit tcp any host 206.47.125.50 eq 1723

permit icmp any any echo-reply

deny ip any any log

interface Ethernet 3/0

ip access-group 111 in

I have created a rule-set for the CBAC named FIREWALL and applied this rule to the outside interface as an outbound rule.

ip inspect name FIREWALL tcp

ip inspect name FIREWALL udp

ip inspect name FIREWALL ftp

ip inspect name FIREWALL esmtp

interface Ethernet 3/0

ip inspect FIREWALL out

When I tested this configuration over the weekend, I was unable to open websites and perform a NSLOOKUP. Have I missed something?

I later tried a single “inbound” ACL on the outside interface and applied the above rule-set as an “outbound” rule to the outside interface and it seems to work.

ip access-list extended 100

permit gre any any

permit tcp any any 1723

permit tcp any any eq domain

permit udp any any eq domain

permit tcp any any eq www

permit tcp any any eq 443

permit tcp any any eq 22

permit udp any any eq 22

permit tcp any any eq ftp

permit udp any any eq 20

permit udp any any eq 21

permit tcp any host 206.47.125.41 eq smtp

deny any any log

interface Ethernet 3/0

ip access-group 100 in

ip inspect FIREWALL out

My concern is whether this is correct and safe?

nkhawaja · ‎11-15-2005

Hi,

Check the logs to see what is denied. The config seems fine

ron_brewer · ‎11-18-2005

If f1/0 is the interface on the inside of your network then I think the problem was the "out" option instead of the "in" option on the access-group command. You should try "ip access-group 110 in" on the f1/0 interface. That way you are dropping unwanted traffic as soon as it comes into the router. This should also allow you to go back to the original access-list 111 entries.

Assuming f1/0 is the inside and e3/0 is the outside try the following:

ip access-list 110 extended

permit tcp 192.168.0.0 0.0.255.255 any eq domain

permit udp 192.168.0.0 0.0.255.255 any eq domain

permit tcp 192.168.0.0 0.0.255.255 any eq www

permit tcp 192.168.0.0 0.0.255.255 any eq 443

permit tcp 192.168.0.0 0.0.255.255 any eq 22

permit udp 192.168.0.0 0.0.255.255 any eq 22

permit tcp 192.168.0.0 0.0.255.255 any eq ftp

permit udp 192.168.0.0 0.0.255.255 any eq 20

permit udp 192.168.0.0 0.0.255.255 any eq 21

deny ip any any log

!

interface fastethernet 1/0

ip access-group 110 in

!

ip inspect name FIREWALL tcp

ip inspect name FIREWALL udp

ip inspect name FIREWALL ftp

ip inspect name FIREWALL esmtp

!

ip access-list 111 extended

permit gre any any

permit tcp any host 206.47.125.41 eq 25

permit tcp any host 206.47.125.50 eq 1723

permit icmp any any echo-reply

deny ip any any log

!

interface Ethernet 3/0

ip inspect FIREWALL out

ip access-group 111 in

bradjones · ‎11-18-2005

I opened a case this morning with TAC and the engineer told me that I don't require the ACL on the inside interface (fa1/0). He had me change the ACL for the outside interface (et3/0)... here's what I got going on now:

ip access-list 111 extended

permit gre any any

permit tcp any any eq 1723

permit tcp any eq 22 any

permit udp any eq 22 any

permit tcp any any eq 22

permit udp any any eq 22

permit tcp any eq domain any

permit tcp any any eq domain

permit udp any eq domain any

permit udp any any eq domain

permit tcp any eq www any

permit tcp any any eq www

permit tcp any eq 443 any established

permit tcp any any eq 443

permit tcp any eq 445 any established

permit tcp any any eq 445

permit tcp any eq smtp any established

permit tcp any any eq smtp

permit tcp any eq pop3 any established

permit tcp any any eq pop3

permit tcp any eq ftp-data any

permit tcp any any eq ftp-data

permit udp any eq 20 any

permit udp any any eq 20

permit tcp any eq ftp any

permit tcp any any eq ftp

permit udp any eq 21 any

permit udp any any eq 21

permit tcp any eq nntp any

permit tcp any any eq nntp

permit udp any eq 119 any

permit udp any any eq 119

deny ip any any log

!

interface ethernet 3/0

ip access-group 111 in

ip inspect FIREWALL out

!

ip inspect name FIREWALL tcp

ip inspect name FIREWALL udp

ip inspect name FIREWALL ftp

ip inspect name FIREWALL esmtp

Does this seem right?

I didn't get that "warm and fuzzy" feeling when I spoke to the engineer.

Thanks!

-Brad