cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2063
Views
0
Helpful
25
Replies

Classic Firewall - Configuring ACL Inbound

sanjayh23
Level 1
Level 1

For a router, IF one interface is connected to a trusted zone and one is connected to an untrusted zone, how would I apply an ACL 110 inbound on an appropriate interface to deny all IP traffic, an ACL 120 to permit TCP port 443 traffic and permit any ICMP traffic and configure an inspection that inspects appropriate packets?

 

Is this right?

 

access-list 110 deny ip any any

 

access-list 120 permit tcp any eq 443 any

access-list 120 permit icmp any any echo

 

hostname(config)# class-map inspection_default
hostname(config-cmap)# match access-list inspect

 

 

 

25 Replies 25

Hello,

 

are you talking about a zone based firewall ? If so, don't you access lists and zones together on the same interface.

aclssss.PNG

It's a cisco packet tracer lab exercise I'm stuck on. The ACL needs to be configured on Milton. It's fa0/0 interface is connected to a trusted zone and it's s0/0/0 interface is connected to an untrusted zone. ACL 110 is already configured, it just needs to be applied and ACL120 is already applied to an interface. 

 

I'm just confirming if this is right:

  • access-list 110 deny ip any any
  • access-list 120 permit tcp any eq 443 any
  • access-list 120 permit icmp any any echo
  • hostname(config)# class-map inspection_default
  • hostname(config-cmap)# match access-list inspect

What's missing? What needs correction? Is the placement wrong? 

Can you confirm?

Hello,

 

can you send the zipped project (.pkt) file ?

Hello


@sanjayh23 wrote:

it's s0/0/0 interface is connected to an untrusted zone. ACL 110 is already configured, it just needs to be applied and ACL120 is already applied to an interface.


By default, in cisco ASA any interface that has lower security-level CANNOT ping an higher security level interface.

Example
inside interface -= 100
outside = 0


So any device connected to that untrusted interface will have a low level security value if not zero as such it won’t be able to initiate any communication to the FW

 

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hello,

 

deny ip any any applied to any interface will block any and all traffic through that interface. As stated, it is difficult to figure out what you are running into, as we don't know what your configs looks like (ZBF or not). If you cannot post the project file, at the very least post the full running configs of both routers (sh run)...

Milton

Island.PNG

Island

milton.PNG

Hello,

 

post the zipped project (.pkt) file. Your output is difficult to interpret (e.g. you are running RIP on one router but not the other, the other router has no routing at all, and I see access lists that are not applied anywhere, or applied but do not exist)...

 

You can ZIP the .pkt file and just post it here...

Here it is

Hello,

 

sorry for the confusion, but the 'class-map inspection_default' command is an ASA command, you are trying to configure this on a router ?

 

Do you have the full project specs/requirements ?

In this part of the classic firewall network, the Milton fa0/0 connects to a trusted zone.
The Milton s0/0/0 connects to an untrusted zone.

 

A. On Milton, apply ACL 110 inbound on an appropriate interface to deny all ip traffic (ACL 110 is already configured, just apply it)
B. On Milton, configure an ACL 120 to permit tcp port 443 traffic and also permit any icmp traffic. (ACL 120 is already applied to an interface)
C. On Milton, configure an inspection called TEST_FW that inspects appropriate packets
D. Apply this inspection called TEST_FW inbound on the Milton fa0/0
E. Enable audit messages to provide a record of network access through the firewall,
F. Enable time stamped logging of inspection packets to the local Milton server at 10.1.100.254
G. Check that the time stamped logging occurs for inspection audit.

Well?

Hello,

 

a classical CBAC config would look like this, I am not really sure what they are looking for (ACL 110 does not really fit in, the inspect must be outbound):

 

Current configuration : 1097 bytes
!
version 12.4
service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Hamburg31_test
!
ip cef
no ipv6 cef
!
--> ip inspect audit-trail
--> ip inspect name TEST_FW icmp audit-trail on timeout 10
--> ip inspect name TEST_FW tcp audit-trail on timeout 3600
spanning-tree mode pvst
!
interface Loopback0
ip address 10.1.102.1 255.255.255.0
!
interface FastEthernet0/0
ip address 10.1.100.1 255.255.255.0
--> ip access-group 120 in
--> ip inspect TEST_FW out
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 10.1.101.1 255.255.255.252
!
interface Serial0/0/1
no ip address
clock rate 2000000
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.101.2
!
ip flow-export version 9
!
--> access-list 120 deny tcp any any eq 443
--> access-list 120 deny icmp any any
!
--> logging 10.1.100.254
line con 0
!
line aux 0
!
line vty 0 4
login
!
end

Thank you

 

Hello,

 

here are the IPv6 tunnel configs:

 

Hamburg3#sh run
Building configuration...

Current configuration : 1385 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Hamburg3
!
logging userinfo
!
ip cef
ipv6 unicast-routing
!
no ipv6 cef
!
ip domain-name gss.com
!
spanning-tree mode pvst
!
interface Tunnel1
no ip address
mtu 1476
ipv6 address 2001:172:16:1::1/64
ipv6 eigrp 2
tunnel source FastEthernet0/0
tunnel destination 142.1.1.2
tunnel mode ipv6ip
!
interface FastEthernet0/0
ip address 142.1.1.1 255.255.255.0
ip ospf 1 area 0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.1.1.1 255.255.255.0
ip ospf 1 area 0
duplex auto
speed auto
ipv6 address 2001:192:1:1::1/64
ipv6 eigrp 2
!
interface Serial0/0/0
ip address 10.1.101.2 255.255.255.252
clock rate 2000000
!
interface Serial0/0/1
no ip address
clock rate 2000000
shutdown
!
interface Vlan1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
!
router rip
network 142.1.0.0
network 192.1.1.0
!
ipv6 router eigrp 2
no shutdown
!
ip classless
!
ip flow-export version 9
!
ip access-list extended sl_def_acl
deny tcp any any eq telnet
deny tcp any any eq www
deny tcp any any eq 22
permit tcp any any eq 22
!
no cdp run
!
banner motd ^C
Hamburg router
^C
!
line con 0
!
line aux 0
!
line vty 0 1
login local
line vty 2 4
login
!
end

 

Munich3#sh run
Building configuration...

Current configuration : 1320 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Munich3
!
ip cef
ipv6 unicast-routing
!
no ipv6 cef
!
spanning-tree mode pvst
!
interface Tunnel1
no ip address
mtu 1476
ipv6 address 2001:172:16:1::2/54
ipv6 eigrp 2
tunnel source FastEthernet0/0
tunnel destination 142.1.1.1
tunnel mode ipv6ip
!
!
interface FastEthernet0/0
ip address 142.1.1.2 255.255.255.0
ip ospf 1 area 0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
ipv6 address 2001:10:1:1::1/64
ipv6 eigrp 2
ipv6 rip 1 enable
!
interface Serial0/0/0
ip address 179.1.1.1 255.255.255.252
ipv6 address 2001:179:1:1::1/64
ipv6 rip 1 enable
clock rate 2000000
!
interface Serial0/0/1
ip address 210.1.1.1 255.255.255.252
clock rate 2000000
!
interface Vlan1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
!
router rip
network 142.1.0.0
network 179.1.0.0
!
ipv6 router eigrp 2
no shutdown
!
ipv6 router rip 1
!
ip classless
!
ip flow-export version 9
!
no cdp run
!
banner motd ^C
Munich router
^C
!
line con 0
!
line aux 0
!
line vty 0 4
password cisco
no login
line vty 5
password cisco
no login
!
end

Review Cisco Networking for a $25 gift card