Solved: Re: Applying ACL to external interface blocks access to internet

davorin · ‎02-06-2020

Hi,

I have a problem on cisco C892. At the moment I apply a ACL-IN ACL on external Dialer0 int, I lose the connectivity from LAN to internet (ping, dns, http, everything), which is unwanted. While I still have RDP access from internet 2.2.2.0 network to internal server at 192.168.1.37.
From LAN to INET I want to block just SMTP, except from mail server.
From external network 2.2.2.0/24 I want to allow access to everything specified in NAT rules.
From other internet addresses I want to allow only what is specified in ACL-IN access list.
1.1.1.1 is my fixed public IP address I get on Dialer0 interface with pppoe connection.

Adding "permit ip any any" at the end of ACL-IN would make this ACL useless. I guess I need to permit just/also established connections started from LAN and pppoe?
(I have been said that the costumer has another 4 public IP addresses which are routed by ISP over 1.1.1.1 address, but they are not in use - if relevant).

Any suggestions would be more than welcome.

Here is a relevant part of router configuration:
ip cef
ip domain name domain.local
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip inspect log drop-pkt
ip inspect name WALL tcp
ip inspect name WALL udp
ip inspect name WALL tftp
ip inspect name WALL ftp
ip inspect name WALL realaudio
ip inspect name WALL icmp
ip inspect name WALL rtsp
ip inspect name WALL http
ip inspect name WALL https
ip inspect name WALL ssh
ip inspect name WALL sip
ip inspect name WALL h323
no ipv6 cef
!
interface FastEthernet8
description ***INTERNET PPPoE***
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface Vlan1
description === LAN ===
ip address 192.168.1.5 255.255.255.0
ip access-group BLOCK_SPAM in
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
load-interval 30
!
interface Dialer0
description ***INTERNET PPPoE***
ip address negotiated
ip access-group ACL-IN in
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname pppoeusername
ppp chap password 7 xxxxxx
no cdp enable
crypto map cmap
!
!
ip nat inside source list NAT interface Dialer0 overload
ip nat inside source static tcp 192.168.1.19 110 interface Dialer0 110
ip nat inside source static tcp 192.168.1.24 80 interface Dialer0 80
ip nat inside source static tcp 192.168.1.19 25 interface Dialer0 25
ip nat inside source static tcp 192.168.1.19 443 interface Dialer0 443
ip nat inside source static tcp 192.168.1.18 1750 1.1.1.1 1750 extendable
ip nat inside source static tcp 192.168.1.37 3389 1.1.1.1 3337 extendable
ip nat inside source static tcp 192.168.1.110 8000 1.1.1.1 8000 extendable
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended ACL-IN
permit ip 2.2.2.0 0.0.0.255 any
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit tcp any host 1.1.1.1 eq smtp
permit tcp any host 1.1.1.1 eq pop3
permit tcp any host 1.1.1.1 eq 443
permit tcp any host 1.1.1.1 eq www
permit tcp any host 1.1.1.1 eq 1750
permit tcp any host 1.1.1.1 eq 8000
ip access-list extended BLOCK_SPAM
permit tcp host 192.168.1.19 any eq smtp
deny tcp any any eq smtp
permit ip any any
ip access-list extended NAT
deny ip 192.168.1.0 0.0.0.255 192.168.255.0 0.0.0.127
permit ip 192.168.1.0 0.0.0.255 any
deny ip any any log
!
dialer-list 1 protocol ip permit
no cdp run

Georg Pauwen · ‎02-06-2020

Hello,

any access list has an implicit 'deny', so if you don't sepcifically allow traffic, it will be blocked. Make the additions marked in bold:

ip access-list extended ACL-IN
permit ip 2.2.2.0 0.0.0.255 any
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit tcp any host 1.1.1.1 eq smtp
permit tcp any host 1.1.1.1 eq pop3
permit tcp any host 1.1.1.1 eq 443
permit tcp any host 1.1.1.1 eq www
permit tcp any host 1.1.1.1 eq 1750
permit tcp any host 1.1.1.1 eq 8000
deny tcp any any eq smtp
deny tcp any any eq pop3
deny tcp any any eq 443
deny tcp any any eq 1750
deny tcp any any eq 8000
permit ip any any

View solution in original post

Richard Burts · ‎02-06-2020

permit ip any any established is not a valid command. the command you are thinking about is permit tcp any any established. That is a valid technique to permit tcp traffic from outside that is response to something initiated from inside while denying tcp traffic that is initiated from outside. But it works only for tcp and not all of ip.

HTH

Rick

View solution in original post

Georg Pauwen · ‎02-06-2020

Hello,

any access list has an implicit 'deny', so if you don't sepcifically allow traffic, it will be blocked. Make the additions marked in bold:

ip access-list extended ACL-IN
permit ip 2.2.2.0 0.0.0.255 any
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit tcp any host 1.1.1.1 eq smtp
permit tcp any host 1.1.1.1 eq pop3
permit tcp any host 1.1.1.1 eq 443
permit tcp any host 1.1.1.1 eq www
permit tcp any host 1.1.1.1 eq 1750
permit tcp any host 1.1.1.1 eq 8000
deny tcp any any eq smtp
deny tcp any any eq pop3
deny tcp any any eq 443
deny tcp any any eq 1750
deny tcp any any eq 8000
permit ip any any

davorin · ‎02-06-2020

Hi,
thank you for quick answer.
It wouldn't make more sense to change to:
ip access-list extended ACL-IN
permit ip 2.2.2.0 0.0.0.255 any
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit tcp any host 1.1.1.1 eq smtp
permit tcp any host 1.1.1.1 eq pop3
permit tcp any host 1.1.1.1 eq 443
permit tcp any host 1.1.1.1 eq www
permit tcp any host 1.1.1.1 eq 1750
permit tcp any host 1.1.1.1 eq 8000
deny tcp any host 1.1.1.1 eq 3337
permit ip any any

All nat-ed ports, except 3337, should be accessed from everywhere.
And I'm not sure about using "permit ip any any". Does not this open this router completely?
Is there any difference in security if I block or not a certain port using ACL if is not used NAT rules?
And I would probably need to limit access to additional ports like ssh,...

Georg Pauwen · ‎02-06-2020

Hello,

if you don't want to allow 'ip any any' you need to know exactly what your users do on the Internet. Possible, of course, but tedious and tricky. One way to do it I guess is to block everthing, log it, and then create an access list based on the logs...

davorin · ‎02-06-2020

Hello,
What about using "permit ip any any established" instead of "permit ip any any"?
Should this work?
Is there any difference in security if I block or not a certain port using ACL if is not used NAT rules?

Richard Burts · ‎02-06-2020

permit ip any any established is not a valid command. the command you are thinking about is permit tcp any any established. That is a valid technique to permit tcp traffic from outside that is response to something initiated from inside while denying tcp traffic that is initiated from outside. But it works only for tcp and not all of ip.

HTH

Rick

davorin · ‎02-10-2020

Thank you for your help.

"permit ip any any" did the job and I have use a little bit changed ACL I have posted before.

And thanks for correcting a command to "permit tcp any any established". I have decided not to use it at the moment, because I'm not so familiar with the costumer needs. Maybe next time.

Thank you again to both of you!

I hope I have correctly closed the question.

Best regards,

Davorin

Richard Burts · ‎02-11-2020

Davorin

I am glad that our suggestions have been helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. I believe that you have correctly closed the discussion. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick