Solved: Re: Dropping Traffic Not Sourced Correctly

nonamer15 · ‎10-12-2019

I'm trying to find a way to drop any traffic that is not sourced correctly. I have a router that has a cellular connection via a carrier (AT&T/Verizon). AT&T isn't picky about incorrectly sourced traffic. However, Verizon is and after so many source IP violations, they will boot the device off their network. I'm looking for a solution that will drop any of this traffic that isn't sourced by the IP of the cellular interface.

This router has an IPsec tunnel, so any traffic that is sent out the tunnel interface won't be sourced by the IP of the cellular interface. So I need to ensure that the solution doesn't catch this traffic and change the source IP. It should only catch traffic that is being sent out the cellular interface that isn't sourced by the IP of the cellular interface.

Originally, I was thinking an outbound ACL on the cellular interface would suffice. However, outbound ACLs don't apply to locally generated traffic. A lot of these cellular connected routers will only ever send traffic that is locally generated. For these routers, there is an end device connected to it, but everything is NATed between the router and end device. So all traffic is sourced from an IP address of the router (L0).

Because the outbound ACL wouldn't work, the only solution that I can find is using a local policy. I've tried implementing this a couple of different ways, but I'm unable to get it to work. Either the policy catches nothing or catches everything. Below is what I think it should look like. 10.252.0.0/15 is the range for cellular IPs.

ip access-list extended non-cell-sourced
 deny ip 10.252.0.0 0.1.255.255 any
 permit ip any any log
!
route-map non-cell-sourced permit 10
 match interface Cellular0
 continue 30
route-map non-cell-sourced deny 20
route-map non-cell-sourced permit 30
 match ip address non-cell-sourced
 set interface Null 0
!
ip local policy route-map non-cell-sourced

I could have used a single route-map sequence. However, when I put match ip address and match interface within the same sequence, match ip address is evaluated first. I believe there could be cases where traffic matches the ip address (resulting in a log), but doesn't match the interface and therefore isn't dropped. So I broke the route-map into multiple sequence numbers to avoid this issue.

Unfortunately, what I have doesn't work at all. I'm not seeing hits on either ACL line. Given that the router is up and online, traffic is going over the cellular interface, so I should at the least see some hits on the first line. Generating some ICMP traffic sourced from the cellular interface doesn't help either. I've also tested sourcing traffic from a loopback address (L1) that isn't the IP of the cellular interface. After doing that a couple of times, I still see no hits within my ACL. So the policy isn't working and Verizon boots the device due to source IP violations.

Below is a full configuration of the router. It's an IR807G-LTE-VZ-K9 running 15.8(3)M2.

version 15.8
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service internal
!
hostname test
!
boot-start-marker
boot system flash:/ir800l-universalk9-mz.SPA.158-3.M2.bin
boot-end-marker
!
!
logging buffered 500000
enable secret 5 <removed>
!
aaa new-model
!
!
aaa group server tacacs+ tacacs
 server-private 10.92.192.10 key 7 <removed>
 server-private 10.19.192.10 key 7 <removed>
 ip vrf forwarding red
 ip tacacs source-interface Loopback0
!
aaa authentication login default group tacacs local line
aaa authentication enable default group tacacs enable
aaa authorization config-commands
aaa authorization commands 1 default group tacacs if-authenticated 
aaa authorization commands 15 default group tacacs if-authenticated 
aaa accounting exec default
 action-type start-stop
 group tacacs
!
aaa accounting commands 15 default
 action-type start-stop
 group tacacs
!
aaa accounting network default
 action-type start-stop
 group tacacs
!
aaa accounting connection default
 action-type start-stop
 group tacacs
!
aaa accounting system default
 action-type start-stop
 group tacacs
!
!
!
!
!
!
aaa session-id common
clock timezone EST -5 0
clock summer-time EDT recurring
!
!
!
!
!
!         
!
ip vrf red
!
!
!
!
no ip domain lookup
ip domain name test.com
ip inspect WAAS flush-timeout 10
ip cef
no ipv6 cef
!
!
flow record NETFLOW
 match ipv4 tos
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 match interface input
 collect routing source as
 collect routing destination as
 collect routing next-hop address ipv4
 collect ipv4 source mask
 collect ipv4 destination mask
 collect transport tcp flags
 collect interface output
 collect counter bytes
 collect counter packets
 collect timestamp sys-uptime first
 collect timestamp sys-uptime last
!
!
flow monitor NETFLOW
 description NETFLOW to NetQOS
 cache timeout active 60
 statistics packet protocol
 statistics packet size
 record NETFLOW
!
!
multilink bundle-name authenticated
!
chat-script lte "" "AT!CALL1" TIMEOUT 60 "OK"
license udi pid IR807G-LTE-VZ-K9 sn <removed>
license accept end user agreement
license boot module ir800l level advipservices
!
!
username <removed> password 7 <removed>
!
redundancy
 notification-timer 120000
!
crypto ikev2 proposal IKEV2_PROPOSAL 
 encryption aes-cbc-128
 integrity sha1
 group 5 2
!
crypto ikev2 policy IKEV2_POLICY 
 match fvrf any
 proposal IKEV2_PROPOSAL
!
crypto ikev2 keyring IKEV2_KEY
 peer DMVPN
  address 0.0.0.0 0.0.0.0
  pre-shared-key <removed>
 !
!
!
crypto ikev2 profile IKEV2_PROFILE
 match fvrf any
 match identity remote address 0.0.0.0 
 authentication remote pre-share
 authentication local pre-share
 keyring local IKEV2_KEY
 dpd 60 2 on-demand
!
!
!
controller Cellular 0
!
track 1 ip sla 1 reachability
 delay down 125 up 10
!
!
class-map type inspect match-any wan-red
 match access-group name wan-red
class-map type inspect match-all red-wan
 match access-group name red-wan
!
policy-map type inspect wan-red
 class type inspect wan-red
  inspect 
 class class-default
  drop log
policy-map type inspect red-wan
 class type inspect red-wan
  inspect 
 class class-default
  drop log
!
zone security wan
zone security red
zone-pair security red-wan source red destination wan
 service-policy type inspect red-wan
zone-pair security wan-red source wan destination red
 service-policy type inspect wan-red
! 
!
!
crypto ipsec transform-set IPSEC_TS esp-aes 256 esp-sha-hmac 
 mode transport
!
crypto ipsec profile IKEV2_IPSEC
 set transform-set IPSEC_TS 
 set ikev2-profile IKEV2_PROFILE
!
!
!
!
!
!
!
interface Loopback0
 ip vrf forwarding red
 ip address 10.78.15.231 255.255.255.255
 zone-member security red
!
interface Loopback1
 ip address 10.10.10.1 255.255.255.0
!
interface Tunnel50
 ip vrf forwarding red
 ip address 10.78.31.231 255.255.240.0
 no ip redirects
 ip mtu 1400
 ip flow monitor NETFLOW input
 ip flow monitor NETFLOW output
 ip nat outside
 ip nhrp network-id 50780000
 ip nhrp nhs 10.78.31.251 nbma 10.77.159.1 multicast priority 1
 ip nhrp nhs 10.78.31.252 nbma 10.107.103.254 multicast priority 2
 ip nhrp nhs cluster 0 max-connections 1
 ip virtual-reassembly in
 zone-member security wan
 ip tcp adjust-mss 1360
 load-interval 30
 delay 1000
 qos pre-classify
 tunnel source Cellular0
 tunnel mode gre multipoint
 tunnel key 50780000
 tunnel protection ipsec profile IKEV2_IPSEC
!
interface Cellular0
 ip address negotiated
 encapsulation slip
 dialer in-band
 dialer idle-timeout 0
 dialer string lte
 dialer watch-group 1
 ipv6 address autoconfig
!
interface Cellular1
 no ip address
 encapsulation slip
!
interface FastEthernet0
 ip vrf forwarding red
 ip address 192.168.100.6 255.255.255.248
 ip nat inside
 ip virtual-reassembly in
 zone-member security red
 duplex auto
 speed auto
!
interface FastEthernet1
 ip address dhcp
 duplex auto
 speed auto
!
interface Async0
 ip vrf forwarding red
 no ip address
 encapsulation raw-tcp
 shutdown
 keepalive 90
!
interface Async1
 ip vrf forwarding red
 no ip address
 encapsulation raw-tcp
 shutdown
 keepalive 90
!
!
router eigrp 1
 !
 address-family ipv4 vrf red autonomous-system 1
  network 10.0.0.0
  passive-interface default
  no passive-interface Tunnel50
 exit-address-family
!
ip local policy route-map non-cell-sourced
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip ftp source-interface Cellular0
ip nat inside source list 1 interface Cellular0 overload
ip nat inside source static tcp 192.168.100.1 1024 10.78.15.231 1024 vrf red extendable
ip nat inside source static tcp 192.168.100.1 1217 10.78.15.231 1217 vrf red extendable
ip nat inside source static tcp 192.168.100.1 5432 10.78.15.231 5432 vrf red extendable
ip nat inside source static tcp 192.168.100.1 21 10.78.15.231 8121 vrf red extendable
ip nat inside source static tcp 192.168.100.1 23 10.78.15.231 8123 vrf red extendable
ip nat inside source static tcp 192.168.100.1 443 10.78.15.231 8143 vrf red extendable
ip nat inside source static tcp 192.168.100.1 80 10.78.15.231 8180 vrf red extendable
ip nat inside source static tcp 192.168.100.2 21 10.78.15.231 8221 vrf red extendable
ip nat inside source static tcp 192.168.100.2 23 10.78.15.231 8223 vrf red extendable
ip nat inside source static tcp 192.168.100.2 443 10.78.15.231 8243 vrf red extendable
ip nat inside source static tcp 192.168.100.2 80 10.78.15.231 8280 vrf red extendable
ip nat inside source static tcp 192.168.100.3 21 10.78.15.231 8321 vrf red extendable
ip nat inside source static tcp 192.168.100.3 23 10.78.15.231 8323 vrf red extendable
ip nat inside source static tcp 192.168.100.3 443 10.78.15.231 8343 vrf red extendable
ip nat inside source static tcp 192.168.100.3 80 10.78.15.231 8380 vrf red extendable
ip nat inside source static tcp 192.168.100.4 21 10.78.15.231 8421 vrf red extendable
ip nat inside source static tcp 192.168.100.4 23 10.78.15.231 8423 vrf red extendable
ip nat inside source static tcp 192.168.100.4 443 10.78.15.231 8443 vrf red extendable
ip nat inside source static tcp 192.168.100.4 80 10.78.15.231 8480 vrf red extendable
ip nat inside source static tcp 192.168.100.5 21 10.78.15.231 8521 vrf red extendable
ip nat inside source static tcp 192.168.100.5 23 10.78.15.231 8523 vrf red extendable
ip nat inside source static tcp 192.168.100.5 443 10.78.15.231 8543 vrf red extendable
ip nat inside source static tcp 192.168.100.5 80 10.78.15.231 8580 vrf red extendable
ip nat inside source static tcp 192.168.100.1 19997 10.78.15.231 19001 vrf red extendable
ip nat inside source static tcp 192.168.100.2 19997 10.78.15.231 19002 vrf red extendable
ip nat inside source static tcp 192.168.100.3 19997 10.78.15.231 19003 vrf red extendable
ip nat inside source static tcp 192.168.100.4 19997 10.78.15.231 19004 vrf red extendable
ip nat inside source static tcp 192.168.100.5 19997 10.78.15.231 19005 vrf red extendable
ip nat inside source static tcp 192.168.100.1 20000 10.78.15.231 20001 vrf red extendable
ip nat inside source static tcp 192.168.100.2 20000 10.78.15.231 20002 vrf red extendable
ip nat inside source static tcp 192.168.100.3 20000 10.78.15.231 20003 vrf red extendable
ip nat inside source static tcp 192.168.100.4 20000 10.78.15.231 20004 vrf red extendable
ip nat inside source static tcp 192.168.100.5 20000 10.78.15.231 20005 vrf red extendable
ip route 0.0.0.0 0.0.0.0 Cellular0
ip ssh version 2
!
ip access-list standard DEFAULT_ONLY
 permit 0.0.0.0
ip access-list standard access-router
 permit 10.0.0.0 0.255.255.255
ip access-list standard snmp-ro
 permit 10.120.200.245
 permit 10.141.0.238
 permit 10.130.200.240
 permit 10.19.0.245
 permit 10.19.99.0 0.0.0.255
 permit 10.92.99.0 0.0.0.255
 permit 10.92.196.0 0.0.3.255
 permit 10.120.99.0 0.0.0.255
 permit 10.120.196.0 0.0.3.255
ip access-list standard snmp-rw
 permit 10.92.99.51
 permit 10.92.99.50
 permit 10.120.99.50
 permit 10.92.99.11
 permit 10.92.99.10
 permit 10.19.99.50
!
ip access-list extended red-wan
 permit icmp any any echo
 permit icmp any any echo-reply
 deny   ip any any
ip access-list extended wan-red
 permit ip 10.0.0.0 0.255.255.255 any
 deny   ip any any
ip access-list extended non-cell-sourced
 deny   ip 10.252.0.0 0.1.255.255 any
 permit ip any any log
!
ip sla auto discovery
ip sla 1
 icmp-echo 10.48.16.254 source-interface Loopback0
 request-data-size 5
 vrf red
ip sla schedule 1 life forever start-time after 00:30:00
dialer watch-list 1 ip 5.6.7.8 0.0.0.0
dialer watch-list 1 delay route-check initial 60
dialer watch-list 1 delay connect 1
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipv6 permit
ipv6 ioam timestamp
!
route-map non-cell-sourced permit 10
 match interface Cellular0
 continue 30
!
route-map non-cell-sourced deny 20
!
route-map non-cell-sourced permit 30
 match ip address non-cell-sourced
 set interface Null0
!
snmp-server community <removed> RO snmp-ro
snmp-server community <removed> RW snmp-rw
snmp-server trap-source Loopback0
!
!
!
!
control-plane
!
!
alias exec br show ip interface brief
alias exec co config terminal
alias exec sal show access-list
alias exec scn show cdp neighbor
alias exec shpi show policy-map interface
alias exec sie show ip eigrp neighbor
alias exec smi show mac-add | include
alias exec sr show running
alias exec srb show run | begin
alias exec sri show run | include
!
line con 0
line 2
 no activation-character
 no exec
 transport preferred none
 stopbits 1
line 3
 script dialer lte
 no exec
 transport preferred none
 transport output none
 rxspeed 150000000
 txspeed 50000000
line 4
 raw-socket tcp keepalive 90
 raw-socket tcp server 20000
 raw-socket packet-timer 100
 raw-socket packet-length 292
 raw-socket tcp idle-timeout 420
 stopbits 1
line 5
 raw-socket tcp keepalive 90
 raw-socket tcp server 8023
 raw-socket tcp idle-timeout 420
 stopbits 1
 speed 57600
line 8
 no exec
 rxspeed 150000000
 txspeed 50000000
line vty 0 4
 session-timeout 90 
 access-class access-router in vrf-also
 transport input ssh
line vty 5 6
 session-timeout 90 
 access-class access-router in vrf-also
 transport input ssh
line vty 7 15
 access-class access-router in vrf-also
 transport input none
!         
scheduler allocate 20000 1000
ntp update-calendar
ntp server 10.48.0.200

Any help is appreciated. Thanks.

Georg Pauwen · ‎10-14-2019

Hello,

since you are using the zone based firewall, you could also just drop all traffic from the self to the wan (outside) zone, except for EIGRP, SSH, and Telnet:

ip access-list extended SELF_TO_OUT_ACL
permit tcp any any eq 22
permit tcp any any eq 23

permit eigrp any any
!
class-map type inspect match-any SELF_TO_OUT_CM
match access-group name SELF_TO_OUT_ACL
!
policy-map type inspect Self_To_Out_PM
class SELF_TO_OUT_CM
pass
class class-default
drop log
!
zone pair security Self_To_Out_ZP source self destination wan
service-policy type inspect Self_To_Out_PM

View solution in original post

Georg Pauwen · ‎10-13-2019

Hello,

you need to make sure that ALL traffic is either going through the Cellular interface via NAT/PAT, or through the tunnel:

This is an excerpt from the document linked below:

--> All packets leaving the ISR through the LTE interface must be sent through Port Address Translation (PAT) or
VPN. If any packets are sent over LTE with the source IP address other than the LTE interface IP address, the
LTE connection will be disconnected (IP address violation). Because the ISR will immediately attempt to
reconnect, a flapping condition will occur and continue.

You are referencing access list 1 in the NAT configuration, but there is no access list 1 configured.

ip nat inside source list 1 interface Cellular0 overload

Try and add:

access-list 1 permit 192.168.100.0 0.0.0.7

I am not sure if that is all the traffic in your LAN, as it only allows for 6 hosts ?

https://www.cisco.com/c/dam/en/us/products/collateral/interfaces-modules/4g-lte-wireless-wan-enhanced-high-speed-wan-interface-card/guide_c07-720267.pdf

nonamer15 · ‎10-13-2019

Thanks for the response. I think the command ip nat inside source list 1 interface Cellular0 overload is erroneous and likely left over from some testing. I wasn't trying to use that, only ip local policy. For this particular router, there are only 5 hosts where traffic is statically NATed (192.168.100.1-192.168.100.5). All that traffic is being NATed correctly. What I was trying to do was come up with a local policy that would simply drop any traffic not sourced correctly.

While I could NAT this traffic, I would prefer to drop and log it. Odds are, if it's sourced incorrectly, it's either bad traffic or some type of misconfiguration, so I wouldn't really want to allow this traffic and let it be sent out the cellular interface.

Is there anyway to make this work with ip local policy? If not, I have no issue with doing it via NAT, but again, I'd want to drop and log this traffic, not let it be successfully NATed and sent out the cellular interface. So for instance, if I try the below.

interface Cellular0
 ip nat outside
!
ip access-list extended non-cell-sourced
 permit ip 10.252.0.0 0.1.255.255 any
 deny ip any any log
!
ip nat inside source list non-cell-sourced interface Cellular0 overload

This doesn't seem to work. When I source a ping from L1 (a loopback I created strictly for testing traffic not sourced by the cellular interface), it doesn't work. This ICMP traffic is still sent out the cellular interface and Verizon drops the router. It seems the deny doesn't drop the traffic and also prevents that traffic from being NATed.

So to get this to work with NAT and drop the traffic, I'm guessing I'll need to use a route map instead of an ACL. Below is what I'm trying.

interface Cellular0
 ip nat outside
!
ip access-list extended non-cell-sourced
 deny ip 10.252.0.0 0.1.255.255 any
 permit ip any any log
!
route-map non-cell-sourced permit 10
 match interface Cellular0
 continue 30
route-map non-cell-sourced deny 20
route-map non-cell-sourced permit 30
 match ip address non-cell-sourced
 set interface Null 0
!
ip nat inside source route-map non-cell-sourced interface Cellular0 overload

This seems to correctly NAT from L1 sourced traffic. However, I don't want this traffic to be sent out. I want it to be dropped, but it's not. Strangely, I also have no hits on either of my ACL statements almost as if it never gets to sequence 30 of the route-map.

Georg Pauwen · ‎10-13-2019

Hello,

the 'log' keyword in your NAT access list effectively disables NAT, so you cannot use that.

Static NAT takes precedence over NAT overloading, so what if you just define access list 1 as:

access-list 1 deny 192.168.100.0 0.0.0.7

nonamer15 · ‎10-13-2019

Please ignore the static NAT configuration. It is working the way it should and there is no issues with it. Please pretend it doesn't exist.

I don't understand

the 'log' keyword in your NAT access list effectively disables NAT, so you cannot use that.

This is not true. For instance, let's say I configure the below.

interface Cellular0
 ip nat outside
!
ip access-list extended non-cell-sourced
 deny   ip 10.252.0.0 0.1.255.255 any
 permit ip any any log
!
route-map non-cell-sourced permit 10
 match ip address non-cell-sourced
 match interface Cellular0
 set interface Null0
!
ip nat inside source route-map non-cell-sourced interface Cellular0 overload

This will NAT traffic even though my ACL includes the log keyword. See below.

test#ping 10.97.252.35 source l1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.97.252.35, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/50/56 ms
test#sh ip nat trans
Pro Inside global         Inside local          Outside local         Outside global
icmp 10.253.8.227:192     10.10.10.1:192        10.97.252.35:192      10.97.252.35:192
Oct 13 16:39:44.544: %SEC-6-IPACCESSLOGDP: list non-cell-sourced permitted icmp 10.10.10.1 -> 10.97.252.35 (0/0), 1 packe

As you can see, I sourced ICMP from L1. NAT successfully translated that to the IP address of the cellular interface, even though the ACL includes the log keyword. You can also see that log echoed to the output of the router. So I'm not sure why you're saying log would disable NAT as that isn't the case.

Just to reiterate what I'm wanting to accomplish. The static NAT in place is working correctly and shouldn't be touched. What I'm wanting is to inspect any traffic that is leaving the cellular interface. If the source IP of the packet is not within 10.252.0.0/15 (the subnet for cellular IPs), that traffic should be logged, and then dropped. Right now, I'm not concerned with how that is accomplished, whether it's with NAT or a local policy. If we are doing NAT, I want the traffic to be dropped, though.

To test whether the solution works, I've created L1 on this router. Then, I attempt to source ICMP traffic and see if it's handled correctly. So if you look at the configuration I provided with in this message, that solution works to NAT the traffic. However, it's not being dropped. Even though I've got set interface Null0 within the route map, it's like NAT overrides that and still sends it out of the cellular interface. Strictly looking at the configuration provided in this message, how do I modify it to get the desired results? If this isn't the way to go, what other solution would accomplish this?

paul driver · ‎10-13-2019

Hello
You on the right track, try using an access-list pertaining to you local interface addressing instead of matching on the specific interface although this should work it will blackhole the related networks from going anywhere, you may possibly be better instead with having an additional security policy denying this traffic on the ZBFW.

Example of your route map
no route-map non-cell-sourced
access-list 10 permit 10.10.10.0 0.0.0.255
access-list 10 permit 10.78.16.0 0.0.15.255

route-map non-cell-sourced
match ip address 10
set interface Null 0
exit
ip local policy route-map non-cell-sourced

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

nonamer15 · ‎10-13-2019

Thanks for the response, Paul. However, this solution won't work. Once I implemented it, it breaks the tunnel. I can't reach the Tunnel50 IP via ICMP, EIGRP adjacency goes down, and I'm no longer receiving any routes in the red VRF.

<Default route is gone>

test#sh ip route vrf red

Routing Table: red
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C        10.78.15.231/32 is directly connected, Loopback0
C        10.78.16.0/20 is directly connected, Tunnel50
L        10.78.31.231/32 is directly connected, Tunnel50
      192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.100.0/29 is directly connected, FastEthernet0
L        192.168.100.6/32 is directly connected, FastEthernet0

<EIGRP adjacency is down>
Oct 13 18:05:58.287: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.78.31.251 (Tunnel50) is down: retry limit exceeded



<No longer able to reach Tunnel50>
Reply from 10.78.31.231: bytes=32 time=96ms TTL=251
Reply from 10.78.31.231: bytes=32 time=70ms TTL=251
Request timed out.
Request timed out.
Request timed out.

It's important to match on only the cellular interface. Any traffic going out Tunnel50, we don't want to touch. If that traffic is black holed, the tunnel can't build anymore.

Why doesn't the below work?

ip access-list extended non-cell-sourced
 deny ip 10.252.0.0 0.1.255.255 any
 permit ip any any log
!
route-map non-cell-sourced permit 10
 match interface Cellular0
 continue 30
route-map non-cell-sourced deny 20
route-map non-cell-sourced permit 30
 match ip address non-cell-sourced
 set interface Null 0
!
ip local policy route-map non-cell-sourced

If this worked the way I had hoped, it would first match traffic going out the cellular interface. If a match is found, then it would hit the ACL. If the source IP was anything but 10.252.0.0/15 (the range for our cellular IPs), it would black hole the traffic. I don't understand why this doesn't work, though.

paul driver · ‎10-13-2019

Hello
That is correct as I said it will blackhole all to the null interface so if anything was relying on those network then it would fail, so instead of PBR it to the null , PBR what you would like over the tunnel instead, you may then have asymmetric routing unless you advertise those same networks in the eigrp process which looks like the tunnel is using but it should work accordingly.

route-map non-cell-sourced
match ip address 10
set ip next-hop 10.78.31.x <---tunnel next hop)

Lastly i would suggest be a specif as possible in the eigrp stanza, so instead of 10.0.0.0, use the host address of the interfaces in eigrp

router eigrp 1
address-family ipv4 vrf red autonomous-system 1
network 10.78.15.231 0.0.0.0
no network 10.0.0.0

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen · ‎10-14-2019

Hello,

since you are using the zone based firewall, you could also just drop all traffic from the self to the wan (outside) zone, except for EIGRP, SSH, and Telnet:

ip access-list extended SELF_TO_OUT_ACL
permit tcp any any eq 22
permit tcp any any eq 23

permit eigrp any any
!
class-map type inspect match-any SELF_TO_OUT_CM
match access-group name SELF_TO_OUT_ACL
!
policy-map type inspect Self_To_Out_PM
class SELF_TO_OUT_CM
pass
class class-default
drop log
!
zone pair security Self_To_Out_ZP source self destination wan
service-policy type inspect Self_To_Out_PM

nonamer15 · ‎06-17-2020

Thanks Georg. Not sure why it never occurred to me to use the ZBF, especially since it was already in place.

I don't believe the ACL you provided would work given it wouldn't allow the IPSEC tunnel to build. EIGRP only occurs within the tunnel, not outside. It also would allow traffic to leave the cellular interface that wasn't sourced by the cellular interface, which is mainly what I was trying to prevent. Below is what I originally ended up using and meets the requirements of preventing traffic from leaving the cellular interface that isn't sourced by the cellular interface.

ip access-list extended self-wan
 permit ip 10.252.0.0 0.1.255.255 any
 deny ip any any
!
ip access-list extended wan-self
 permit ip any any
!
class-map type inspect match-any self-wan
 match access-group name self-wan
class-map type inspect match-any wan-self
 match access-group name wan-self
!
policy-map type inspect self-wan
 class type inspect self-wan
  pass 
 class class-default
  drop log
policy-map type inspect wan-self
 class type inspect wan-self
  pass 
 class class-default
  drop log
!
zone security wan
!
zone-pair security self-wan source self destination wan
 service-policy type inspect self-wan
zone-pair security wan-self source wan destination self
 service-policy type inspect wan-self

interface Cellular0
 zone-member security wan

Given that there is very little unique traffic that should traverse the cellular interface as most of the traffic should be through the IPSEC tunnel, I ended up updating the original ACLs to be more specific. Unfortunately, there's a limitation when using the self zone as it doesn't allow for stateful inspection, so when being specific, it's important to allow the traffic in both directions.