Re: Cisco 897 ACL issue - block incoming traffic - Page 2

sanjay.chauhan38 · ‎08-28-2020

Hi,

I am facing an issue which I can't get my head around. I would like to limit inbound traffic from the outside interface i.e. the WAN. I have created an ACL and applied it to the WAN interface inbound. However whenever I apply it, the ACL seems to works but all outbound traffic gets blocked too.

here is my config - any pointers would be much appreciated and I guess i'm missing something obvious!

interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
no ip address
shutdown
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
ip address 1.1.1.1 255.255.255.248
ip access-group outside_access_in in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!
interface Wlan-GigabitEthernet8
no ip address
!
interface wlan-ap0
no ip address
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
!
!
ip nat inside source list 101 interface GigabitEthernet8 overload
ip route 0.0.0.0 0.0.0.0 9.9.9.9
ip ssh port 2222 rotary 1
!
ip access-list extended ACL-CONSOLE-PERMIT
permit ip 3.3.3.3 0.0.0.255 any
permit ip 4.4.4.4 0.0.0.255 any
deny ip any any
ip access-list extended outside_access_in
permit icmp any any time-exceeded
permit icmp any any unreachable
permit ip 3.3.3.3 0.0.0.255 any
permit ip 4.4.4.4 0.0.0.255 any
permit esp any any
permit gre any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any any eq bootpc
deny ip any any log
!
logging trap debugging
dialer-list 1 protocol ip permit
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
no vstack
!
line con 0
no modem enable
line aux 0
access-class ACL-CONSOLE-PERMIT in
line 2
access-class ACL-CONSOLE-PERMIT in
exec-timeout 60 0
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
access-class ACL-CONSOLE-PERMIT in
login local
rotary 1
transport input ssh
!
scheduler allocate 20000 1000
!
end

paul driver · ‎08-29-2020

Hello

Try the follwoing, its a basic context based acl based on your requirements

ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC icmp

no ip access-list extended outside_access_in
ip access-list extended outside_access_in
deny icmp any any echo
permit ip host 2.2.2.2 any
permit ip host 3.3.3.3 any
permit esp any any
permit gre any any

permit udp any any eq isakmp

permit udp any any eq non500-isakmp

permit udp any any eq bootpc

interface GigabitEthernet8
no ip redirects
no ip unreachables
ip inspect CBAC out
ip access-group outside_access_in in

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Richard Burts · ‎08-29-2020

If I am understanding the original poster correctly they want to permit traffic from inside to the Internet (and inherently that also needs to permit the response traffic from the Internet) and want to permit traffic from a few Internet resources to access resources in the inside network. That is pretty much impossible if we are trying to do it with normal access lists. The key issue is what happens to responses coming from the Internet. We can sort of solve the issue for tcp traffic using permit tcp any any established, which will recognize tcp traffic that is a response to something initiated from inside. But we do not have a solution for udp traffic, or icmp traffic, or other sorts of traffic. The closest we can come is CBAC (as long as we are looking at using IOS devices). What we really want in this situation is something that does stateful inspection (like an ASA or other firewall type devices).

HTH

Rick

sanjay.chauhan38 · ‎08-30-2020

hi,

many thanks fo your suggestion. Unfortunately I tried this and this is the behaviour I am encountering.

- from the internet I am not able to ping the wan interface of the router - good

- from the internet and from 2.2.2.2 and 3.3.3.3 I am able to reach the router on all services - good

- From the inside lan network 192.168.0.0 I am unable to reach out to the internet - not intended

- from the inside lan network 192.168.0.0 I am only able to reach 2.2.2.2 and 3.3.3.3 via internet - not intended

it seems the outbound for some reason is getting blocked. Could it be because the ACL explicitly denies all so breakers the state full inbound traffic?

paul driver · ‎08-30-2020

Hello

seems strange the cbac should work accordingly- Can you attach in a file the run config presently applied to that router?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen · ‎08-31-2020

Hello,

a Zone Based Firewall will work. The configuration is below (important parts marked in bold). Make sure to match everything exactly like below, as there are some intricacies (NAT and GRE/ESP require special attention):

class-map type inspect match-any OUT-T0-SELF-CM
match access-group name OUT-TO-SELF-ACL
class-map type inspect match-any GRE-ESP-CM
match access-group name GRE-ESP-ACL
class-map type inspect match-any SELF-TO-OUT-CM
match access-group name SELF-TO-OUT-ACL
class-map type inspect match-any INSIDE-TO-OUTSIDE-CM
match protocol isakmp
match protocol bootpc
match protocol icmp
match access-group name NON500-ISAKMP-ACL
class-map type inspect match-any OUTSIDE-TO-INSIDE-CM
match access-group name OUTSIDE-TO-INSIDE-ACL
!
policy-map type inspect OUTSIDE-TO-INSIDE-PM
class type inspect OUTSIDE-TO-INSIDE-CM
inspect
class type inspect GRE-ESP-CM
pass
class class-default
drop log
policy-map type inspect INSIDE-TO-OUTSIDE-PM
class type inspect INSIDE-TO-OUTSIDE-CM
inspect
class type inspect GRE-ESP-CM
pass
class class-default
drop log
policy-map type inspect SELF-TO-OUT-PM
class type inspect SELF-TO-OUT-CM
drop
class class-default
drop
policy-map type inspect OUT-TO-SELF-PM
class type inspect OUT-TO-SELF-CM
drop
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone-pair security INSIDE-TO-OUTSIDE-ZP source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-PM
zone-pair security OUTSIDE-TO-INSIDE-ZP source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-PM
zone-pair security OUT-TO-SELF-ZP source OUTSIDE destination self
service-policy type inspect OUT-TO-SELF-PM
zone-pair security SELF-TO-OUT-ZP source self destination OUTSIDE
service-policy type inspect SELF-TO-OUT-PM
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
no ip address
shutdown
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
ip address 1.1.1.1 255.255.255.248
ip nat enable
zone-member security OUTSIDE
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!
interface Wlan-GigabitEthernet8
no ip address
!
interface wlan-ap0
no ip address
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip nat enable
zone-member security INSIDE
ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
!
ip nat source list 1 interface GigabitEthernet8 overload
ip route 0.0.0.0 0.0.0.0 9.9.9.9
ip ssh port 2222 rotary 1
!
ip access-list extended ACL-CONSOLE-PERMIT
permit ip 3.3.3.3 0.0.0.255 any
permit ip 4.4.4.4 0.0.0.255 any
deny ip any any
!
logging trap debugging
dialer-list 1 protocol ip permit
!
access-list 1 permit 192.168.0.0 0.0.0.255
!
ip access-list extended GRE-ESP-ACL
permit gre any any
permit esp any any
ip access-list extended NON500-ISAKMP-ACL
permit udp any any eq non500-isakmp
ip access-list extended OUT-TO-SELF-ACL
deny ip any any
ip access-list extended OUTSIDE-TO-INSIDE-ACL
permit ip host 2.2.2.2 any
permit ip host 3.3.3.3 any
ip access-list extended SELF-TO-OUT-ACL
deny ip any any
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
no vstack
!
line con 0
no modem enable
line aux 0
access-class ACL-CONSOLE-PERMIT in
line 2
access-class ACL-CONSOLE-PERMIT in
exec-timeout 60 0
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
access-class ACL-CONSOLE-PERMIT in
login local
rotary 1
transport input ssh
!
scheduler allocate 20000 1000
!
end