ACL for incoming and outgoing connection

Bekzod Fakhriddinov · ‎07-24-2015

Hi guys. I have 2921 connected to ISP , subinterfaces with appropriate vlans. 2 servers are connected to SVI1 :
[ISP]----[2921]-------[SVI1 interface]----[server]

I have nat static to that server and ACL allowing only specific public ip to that server ip , When I applied those rules on "nat outside interface"

as "access-group in" remote user can connect to server but from the server can not go to internet . BBBB-server public ip , AAAA- remote user public ip .

10 permit tcp host A.A.A.A host B.B.B.B eq ftp telnet www 443 516 1433 3389 log
20 permit tcp host A.A.A.A host B.B.B.B eq ftp telnet www 443 516 1433 3389 log
30 permit tcp host A.A.A.A host B.B.B.B eq ftp telnet www 443 516 1433 3389 log
40 permit tcp host A.A.A.A host B.B.B.B eq ftp telnet www 443 516 1433 3389 log
50 permit ip host B.B.B.B any
60 permit ip host B.B.B.B any

I know that i need to allow in ACL server ip to go internet but where should I do it if I have in already ?

Thank you

Traian Bratescu · ‎07-24-2015

Hi,

You could add

1. "permit ip any host B.B.B.B established"

this way the initial SYN would be denied not allowing any initial connection to the server

or (better if you have the feature) you could use intercept (CBAC):

R(config)#ip inspect name FWOUT tcp

"ip inspect name inspection-name [ parameter max-sessions number ] protocol [ alert { on | off } ] [ audit-trail { on | off } ] [ timeout seconds ] "

and on the nat outside interface:

R(config-if)#ip inpsect FWOUT out

... there is also the zone-based firewall feature but it would take longer to reconfigure.

Traian

Bekzod Fakhriddinov · ‎07-24-2015

with "permit ip any host B.B.B.B established" ACL is should be in or out? will it hlp to server machine go to internet ? (user connecting with rdp to server and from server goes to internet )

Traian Bratescu · ‎07-24-2015

Hi,

You should add that line on the existing ACL (inbound on nat outside interface).

The problem with the existing ACL is that it denies the return traffic to the server:

The communication from the server to the internet:

1. Server connects to a public IP address

B.B.B.B -> 8.8.8.8 (for example) this traffic is not filtered by any ACL

2. Return traffic

8.8.8.8 - B.B.B.b - this trffic is denied by the inbound ACL (and it will be allowed by the permit ip any host B.B.B.B established )

Additionally you could get rid of

50 permit ip host B.B.B.B any
60 permit ip host B.B.B.B any

show ip access-list should reveal no hits on these lines.

Traian

Bekzod Fakhriddinov · ‎07-24-2015

no "permit ip any host B.B.B.B established" there is permit tcp any host B.B.B.B established command . and remote user says server has exchangind data but still cant go to internet . Here is debug : 10.131.1.29 -server internal ip , BBBB-public ip

FIBipv4-packet-proc: route packet from GigabitEthernet0/1.601 src 10.131.1.29 dst 8.8.8.8
.Jul 24 18:56:34.347 UTC: FIBfwd-proc: packet routed by adj to GigabitEthernet0/0 X.X.X.X

FIBipv4-packet-proc: packet routing succeeded
.Jul 24 18:56:34.347 UTC: IP: s=BBBB (GigabitEthernet0/1.601), d=8.8.8.8 (GigabitEthernet0/0), len 69, output feature
.Jul 24 18:56:34.347 UTC:     UDP src=56707, dst=53, Post-routing NAT Outside(25), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
.Jul 24 18:56:34.347 UTC: IP: s=BBBB (GigabitEthernet0/1.601), d=8.8.8.8 (GigabitEthernet0/0), len 69, output feature
.Jul 24 18:56:34.347 UTC:     UDP src=56707, dst=53, Common Flow Table(28), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
.Jul 24 18:56:34.347 UTC: IP: s=BBBB(GigabitEthernet0/1.601), d=8.8.8.8 (GigabitEthernet0/0), len 69, output feature
.Jul 24 18:56:34.347 UTC:     UDP src=56707, dst=53, Stateful Inspection(29), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

.Jul 24 18:56:34.347 UTC: IP: s=BBBB (GigabitEthernet0/1.601), d=8.8.8.8 (GigabitEthernet0/0), len 69, output feature
.Jul 24 18:56:34.347 UTC:     UDP src=56707, dst=53, NAT ALG proxy(61), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
.Jul 24 18:56:34.347 UTC: IP: s=BBBB (GigabitEthernet0/1.601), d=8.8.8.8 (GigabitEthernet0/0), g=72.43.100.1, len 69, forward
.Jul 24 18:56:34.347 UTC:     UDP src=56707, dst=53
.Jul 24 18:56:34.347 UTC: IP: s=BBBB (GigabitEthernet0/1.601), d=8.8.8.8 (GigabitEthernet0/0), len 69, sending full packet
.Jul 24 18:56:34.347 UTC:     UDP src=56707, dst=53

Is it looks like router doesn't like something with port 53 (domain)?

ACL in outbound interface as IN :

10 permit tcp host A.A.A.A host B.B.B.B eq ftp telnet www 443 516 1433 3389 log
20 permit tcp host A.A.A.A host B.B.B.B eq ftp telnet www 443 516 1433 3389 log
30 permit tcp host A.A.A.A host B.B.B.B eq ftp telnet www 443 516 1433 3389 log
40 permit tcp host A.A.A.A host B.B.B.B eq ftp telnet www 443 516 1433 3389 log
50 permit tcp any host B.B.B.B established

Traian Bratescu · ‎07-24-2015

Hi,

Sorry for that; there is only tcp established.

The problem now is that you are using UDP and not tcp; unfortunately there is no way to keep track of "pseudo-udp" sessions with classic ACLs (would be no issue with CBAC).

If the only problem now is with udp 53 - name resolution you could also add a line like the following:

permit udp any eq 53 host B.B.B.B gt 1024

You still would have similar issues with other UDP services for which you should add similar entries in the ACL.

Traian