Re: Firewall on a 1710 using CBAC

roconnell · ‎09-06-2002

I have three questions

1) The ACL list I have configured on my outside interface, I thought should allow me to ping my router from an external location although I can not, Why?

2) All incoming traffic is being denied at the external interface right now but I would like to change this to allow some port though, specifically port 3389 to allow Terminal services on my Windows 2000 server. I have Nat configured on the router so I would like all outside traffic using port 3389 to be allowed through to internal network address 192.168.1.20. What is the best way to do this? I have tried several different things with my access list on the external interface but had no luck.

3) Should I apply the CBAC inspect rules on the internal interface instead?

I have attached my config file any help would be fantastic.

Cheers Ryan

Using 1723 out of 29688 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname %%%%%%%%%%%

!

enable secret 5 $1$PTeP$8xXkHun2tn70JotIyrDKv0

enable password 7 090D1F5A4B01161C4A0908

!

memory-size iomem 15

ip subnet-zero

!

ip inspect name JOJO tcp alert on

ip inspect name JOJO udp alert on

ip inspect name JOJO ftp

ip inspect name JOJO http

ip inspect name JOJO smtp

ip inspect name JOJO tftp

ip inspect name JOJO realaudio

ip inspect name JOJO h323

ip audit notify log

ip audit po max-events 100

ip ssh time-out 120

ip ssh authentication-retries 3

!

interface Ethernet0

description External Interface

ip address 164.164.164.3 255.255.255.248

ip access-group 101 in

ip nat outside

ip inspect JOJO out

half-duplex

no cdp enable

!

interface FastEthernet0

description Internal Interface

ip address 192.168.1.1 255.255.255.0

ip nat inside

speed auto

half-duplex

ntp disable

no cdp enable

!

ip nat translation timeout 3600

ip nat inside source list 1 interface Ethernet0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 164.164.164.4

no ip http server

ip pim bidir-enable

!

access-list 1 permit 192.168.0.0 0.0.255.255

access-list 101 deny tcp any any

access-list 101 deny udp any any

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any packet-too-big

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any traceroute

access-list 101 permit icmp any any administratively-prohibited

access-list 101 deny icmp any any

no cdp run

!

line con 0

line aux 0

line vty 0 4

password 7 01525757090F2601284942

login

!

no scheduler allocate

end

yusuff · ‎09-07-2002

Answers to your queries inline;

1) The ACL list I have configured on my outside interface, I thought should allow me to ping my router from an external location although I can not, Why?

Ans: since you have explicitly denied icmp any any on ACL 101, pinging from external localtion to the ethernet0 interface will not work, but since you have allowed echo-replies, ping through the router and from the router will work fine. You need to explicitly allow ICMP in your ACL 101 to work. Note that ICMP protocol does not get inspected by CBAC.

2) All incoming traffic is being denied at the external interface right now but I would like to change this to allow some port though, specifically port 3389 to allow Terminal services on my Windows 2000 server. I have Nat configured on the router so I would like all outside traffic using port 3389 to be allowed through to internal network address 192.168.1.20. What is the best way to do this? I have tried several different things with my access list on the external interface but had no luck.

Ans: If you need to allow certain ports, that is just fine, you need to add an extra line on ACL 101 at the very top with a permit statement for port 3389.

3) Should I apply the CBAC inspect rules on the internal interface instead?

Ans: your current config is ok, but yes, alternatively you can apply inspect inbound on the fastethernet0 interface, the effect will be same since you only have 2 interfaces on this router.

HTH

R/Yusuf

roconnell · ‎09-07-2002

Thanks for your reply R/Yusuf I have some more questions though?

1)So I have to allow all ICMP traffic through in order to Ping my router from an external location?

2) If I allow port 3389 through, do I not have to point it to the correct internal address of 192.168.1.20? Also If I want to make changes to an existing ACL do I have to delete the whole ACL . I just wanted to know if there was a command to add a line to the TOP, Middle or Bottom of an ACL without deleting and recreating the whole thing.

Thanks again

yusuff · ‎09-08-2002

answers inline

1)So I have to allow all ICMP traffic through in order to Ping my router from an external location?

Ans: Yes, you haev to permit ICMP as it does not get inspected by CBAC

2) If I allow port 3389 through, do I not have to point it to the correct internal address of 192.168.1.20? Also If I want to make changes to an existing ACL do I have to delete the whole ACL . I just wanted to know if there was a command to add a line to the TOP, Middle or Bottom of an ACL without deleting and recreating the whole thing.

Ans: Yes you have to open ACL for correct IP and ports. If you have numbered ACL, then you cannot insert lines in between, you have to remove whole ACL and re-type. Best way is to copy it into notepad, remove it, and then paste it back. If you want the ability to insert in middle etc, then use Named access-list where you can modify/delete from the middle.

HTH

Regards

Yusuf