07-24-2015 08:58 AM - edited 03-05-2019 01:56 AM
Hi guys. I have 2921 connected to ISP , subinterfaces with appropriate vlans. 2 servers are connected to SVI1 :
[ISP]----[2921]-------[SVI1 interface]----[server]
I have nat static to that server and ACL allowing only specific public ip to that server ip , When I applied those rules on "nat outside interface"
as "access-group in" remote user can connect to server but from the server can not go to internet . BBBB-server public ip , AAAA- remote user public ip .
10 permit tcp host A.A.A.A host B.B.B.B eq ftp telnet www 443 516 1433 3389 log
20 permit tcp host A.A.A.A host B.B.B.B eq ftp telnet www 443 516 1433 3389 log
30 permit tcp host A.A.A.A host B.B.B.B eq ftp telnet www 443 516 1433 3389 log
40 permit tcp host A.A.A.A host B.B.B.B eq ftp telnet www 443 516 1433 3389 log
50 permit ip host B.B.B.B any
60 permit ip host B.B.B.B any
I know that i need to allow in ACL server ip to go internet but where should I do it if I have in already ?
Thank you
07-24-2015 09:24 AM
Hi,
You could add
1. "permit ip any host B.B.B.B established"
this way the initial SYN would be denied not allowing any initial connection to the server
or (better if you have the feature) you could use intercept (CBAC):
R(config)#ip inspect name FWOUT tcp
"ip inspect name inspection-name [ parameter max-sessions number ] protocol [ alert { on | off } ] [ audit-trail { on | off } ] [ timeout seconds ] "
and on the nat outside interface:
R(config-if)#ip inpsect FWOUT out
... there is also the zone-based firewall feature but it would take longer to reconfigure.
Traian
07-24-2015 09:32 AM
with "permit ip any host B.B.B.B established" ACL is should be in or out? will it hlp to server machine go to internet ? (user connecting with rdp to server and from server goes to internet )
07-24-2015 10:06 AM
Hi,
You should add that line on the existing ACL (inbound on nat outside interface).
The problem with the existing ACL is that it denies the return traffic to the server:
The communication from the server to the internet:
1. Server connects to a public IP address
B.B.B.B -> 8.8.8.8 (for example) this traffic is not filtered by any ACL
2. Return traffic
8.8.8.8 - B.B.B.b - this trffic is denied by the inbound ACL (and it will be allowed by the permit ip any host B.B.B.B established )
Additionally you could get rid of
50 permit ip host B.B.B.B any
60 permit ip host B.B.B.B any
show ip access-list should reveal no hits on these lines.
Traian
07-24-2015 12:04 PM
no "permit ip any host B.B.B.B established" there is permit tcp any host B.B.B.B established command . and remote user says server has exchangind data but still cant go to internet . Here is debug : 10.131.1.29 -server internal ip , BBBB-public ip
FIBipv4-packet-proc: route packet from GigabitEthernet0/1.601 src 10.131.1.29 dst 8.8.8.8
.Jul 24 18:56:34.347 UTC: FIBfwd-proc: packet routed by adj to GigabitEthernet0/0 X.X.X.X
FIBipv4-packet-proc: packet routing succeeded
.Jul 24 18:56:34.347 UTC: IP: s=BBBB (GigabitEthernet0/1.601), d=8.8.8.8 (GigabitEthernet0/0), len 69, output feature
.Jul 24 18:56:34.347 UTC: UDP src=56707, dst=53, Post-routing NAT Outside(25), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
.Jul 24 18:56:34.347 UTC: IP: s=BBBB (GigabitEthernet0/1.601), d=8.8.8.8 (GigabitEthernet0/0), len 69, output feature
.Jul 24 18:56:34.347 UTC: UDP src=56707, dst=53, Common Flow Table(28), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
.Jul 24 18:56:34.347 UTC: IP: s=BBBB(GigabitEthernet0/1.601), d=8.8.8.8 (GigabitEthernet0/0), len 69, output feature
.Jul 24 18:56:34.347 UTC: UDP src=56707, dst=53, Stateful Inspection(29), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
.Jul 24 18:56:34.347 UTC: IP: s=BBBB (GigabitEthernet0/1.601), d=8.8.8.8 (GigabitEthernet0/0), len 69, output feature
.Jul 24 18:56:34.347 UTC: UDP src=56707, dst=53, NAT ALG proxy(61), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
.Jul 24 18:56:34.347 UTC: IP: s=BBBB (GigabitEthernet0/1.601), d=8.8.8.8 (GigabitEthernet0/0), g=72.43.100.1, len 69, forward
.Jul 24 18:56:34.347 UTC: UDP src=56707, dst=53
.Jul 24 18:56:34.347 UTC: IP: s=BBBB (GigabitEthernet0/1.601), d=8.8.8.8 (GigabitEthernet0/0), len 69, sending full packet
.Jul 24 18:56:34.347 UTC: UDP src=56707, dst=53
Is it looks like router doesn't like something with port 53 (domain)?
ACL in outbound interface as IN :
10 permit tcp host A.A.A.A host B.B.B.B eq ftp telnet www 443 516 1433 3389 log
20 permit tcp host A.A.A.A host B.B.B.B eq ftp telnet www 443 516 1433 3389 log
30 permit tcp host A.A.A.A host B.B.B.B eq ftp telnet www 443 516 1433 3389 log
40 permit tcp host A.A.A.A host B.B.B.B eq ftp telnet www 443 516 1433 3389 log
50 permit tcp any host B.B.B.B established
07-24-2015 12:10 PM
Hi,
Sorry for that; there is only tcp established.
The problem now is that you are using UDP and not tcp; unfortunately there is no way to keep track of "pseudo-udp" sessions with classic ACLs (would be no issue with CBAC).
If the only problem now is with udp 53 - name resolution you could also add a line like the following:
permit udp any eq 53 host B.B.B.B gt 1024
You still would have similar issues with other UDP services for which you should add similar entries in the ACL.
Traian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide