07-11-2019 02:36 AM
Hi and thanks in advance
My 2911 Router is running ok !!
But I would like to put some more security on the WAN Interface on the inbound side.
But I struggle a little on how to set up the ACL - Every time I assign the ACL to the WAN interface my connection to the outside (the internet) stops on inside networks..
- any clues on what I’m doing wrong ??
So this is what I like to achieve :
How do I make sure that I don't shout down the VPN remote access .
Hav I all the right ports
- any special things to be aware off ??
Her is my setup ( ACL + WAN Int )
access-list 1 permit 192.168.100.0 0.0.0.225
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 150 remark ## WWW - SMTP - IMAP - FTP - DOMAINE - VPN ##
access-list 150 permit udp any any eq domain
access-list 150 permit udp any eq domain any
access-list 150 permit tcp any any eq domain
access-list 150 permit tcp any eq domain any
access-list 150 permit tcp any any eq www
access-list 150 permit tcp any any eq 8080
access-list 150 permit tcp any any eq 443
access-list 150 permit tcp any any eq 587
access-list 150 permit tcp any any eq 143
access-list 150 permit tcp any any eq ftp-data
access-list 150 permit tcp any any eq ftp
access-list 150 permit udp any any eq rip
access-list 150 permit igmp any any
access-list 150 permit eigrp any any
access-list 150 permit udp any any eq isakmp
access-list 150 permit udp any any eq 1000
access-list 150 permit udp any any eq 10000
access-list 150 permit udp any any eq non500-isakmp
access-list 150 permit udp any any eq 50
access-list 150 permit tcp any any eq 10000
----------------------- zip -----------------------
interface GigabitEthernet0/0
description ISP WAN (Wide Area Network)
ip address X.X.X.X 255.255.255.252
ip access-group 150 in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
----------------------- zip -----------------------
Here is my running config
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2911
!
boot-start-marker
boot system flash c2900-universalk9-mz.SPA.154-3.M.bin
boot-end-marker
!
!
! card type command needed for slot/vwic-slot 0/2
no logging console
enable secret 5 XXXX
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network userauthen local
!
!
aaa session-id common
!
memory-size iomem 25
!
no ipv6 cef
no ip source-route
!
ip dhcp excluded-address 192.168.100.1 192.168.100.49
ip dhcp excluded-address 192.168.50.1 192.168.50.49
!
ip dhcp pool VLAN200
network X.X.X.X 255.255.255.240
default-router X.X.X.X
dns-server 8.8.8.8 4.4.4.4
!
ip dhcp pool VLAN100
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1
dns-server 192.168.100.1
!
ip dhcp pool VLAN50
network 192.168.50.0 255.255.255.0
default-router 192.168.50.1
dns-server 192.168.50.1
!
!
ip domain name XXXX
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip name-server 62.243.0.166
ip name-server 194.192.207.166
ip cef
ip cef accounting non-recursive
!
multilink bundle-name authenticated
!
!
!
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-XXXXXX
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-XXXXXX
revocation-check none
rsakeypair TP-self-signed-XXXXXX
!
!
crypto pki certificate chain TP-self-signed-XXXXXX
certificate self-signed 01
Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
quit
voice-card 0
!
!
!
!
!
!
!
!
license feature snasw
license udi pid CISCO2911/K9 sn XXXXXXXXX
license accept end user agreement
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package uck9
license boot module c2900 technology-package datak9
hw-module pvdm 0/0
!
hw-module pvdm 0/1
!
username XXXX password 0 XXX
username XXXX privilege 15 secret 5 XXXX
!
redundancy
!
ip ssh time-out 30
!
crypto isakmp policy 150
encr aes 256
authentication pre-share
group 2
!
crypto isakmp client configuration group XXXX
key XXXX
dns 208.67.222.222 208.67.220.220
pool REMOTE-VPN-CLIENTS
crypto isakmp profile XXXX-PROFILE
match identity group XXXX
client authentication list userauthen
isakmp authorization list userauthen
client configuration address initiate
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set XXXX esp-aes 256 esp-sha-hmac
!
crypto ipsec profile XXXX-VTUNNEL-PROFILE
set security-association lifetime kilobytes disable
set security-association lifetime seconds 86400
set transform-set XXXX
set isakmp-profile XXXX-PROFILE
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address x.x.x.x 255.255.255.0
!
interface Embedded-Service-Engine0/0
no ip address
!
interface GigabitEthernet0/0
description ISP WAN (Wide Area Network)
ip address X.X.X.X 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description LAN (Local Area Network)
ip address pool VLAN100
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
description LAN (Local Area Network)
ip address pool VLAN50
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
!
interface FastEthernet0/1/0
switchport access vlan 200
no ip address
!
interface FastEthernet0/1/1
switchport access vlan 200
no ip address
!
interface FastEthernet0/1/2
switchport access vlan 200
no ip address
!
interface FastEthernet0/1/3
switchport access vlan 200
no ip address
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile XXXX-VTUNNEL-PROFILE
!
interface Vlan1
no ip address
!
interface Vlan50
description GUEST NETWORK DHCP POOL
no ip address
ip helper-address x.x.x.x
ip nat inside
ip virtual-reassembly in
!
interface Vlan100
description INTERNAL NETWORK DHCP POOL
ip address dhcp
ip helper-address x.x.x.x
ip nat inside
ip virtual-reassembly in
!
interface Vlan200
description HWIC-4ESW_LAN - SERVER PARK
ip address x.x.x.x 255.255.255.224
ip helper-address x.x.x.x
ip nat inside
ip virtual-reassembly in
!
!
!
router eigrp 100
network 80.0.0.0
network 87.0.0.0
network 192.168.0.0
!
router ospf 123
network 80.0.0.0 0.255.255.255 area 0
network 87.0.0.0 0.255.255.255 area 0
network 192.0.0.0 0.255.255.255 area 0
!
ip local pool REMOTE-VPN-CLIENTS x.x.x.x. x.x.x.x
ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!
access-list 1 permit 192.168.100.0 0.0.0.225
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 150 permit udp any any eq domain
access-list 150 permit udp any eq domain any
access-list 150 permit tcp any any eq domain
access-list 150 permit tcp any eq domain any
access-list 150 permit tcp any any eq www
access-list 150 permit tcp any any eq 8080
access-list 150 permit tcp any any eq 443
access-list 150 permit tcp any any eq 587
access-list 150 permit tcp any any eq 143
access-list 150 permit tcp any any eq ftp-data
access-list 150 permit tcp any any eq ftp
access-list 150 permit udp any any eq rip
access-list 150 permit igmp any any
access-list 150 permit eigrp any any
access-list 150 permit udp any any eq isakmp
access-list 150 permit udp any any eq 1000
access-list 150 permit udp any any eq 10000
access-list 150 permit udp any any eq non500-isakmp
access-list 150 permit udp any any eq 50
access-list 150 permit tcp any any eq 10000
!
no cdp run
!
control-plane
!
mgcp profile default
!
gatekeeper
shutdown
!
telephony-service
max-ephones 10
max-conferences 8 gain -6
transfer-system full-consult
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
transport input ssh
line vty 5 15
transport input ssh
!
scheduler allocate 20000 1000
end
Solved! Go to Solution.
07-11-2019 02:51 AM
Hi there,
For the most part you have your ports defined in the wrong part of the ACL. Remember you are placing the ACL INbound, so you section relating to WWW, DOMAIN, etc will require the known port to be specified at the source port and the destination port will be a ephemeral port (so best left undefined, ie any). So you will have:
! access-list 150 permit tcp any eq www any access-list 150 permit tcp any eq 8080 any access-list 150 permit tcp any eq 443 any !
Since you are implementing this on a router you should really take the time to implement ZBF which will then handle this return traffic dynamically without you needing to configure it explicitly.
https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html
cheers,
Seb.
07-11-2019 03:51 AM
Was the remote access VPN working before the ACL change??
Assuming you are using a VPN 'full tunnel' then you need to add ip nat inside to your virtual-template 1 and also specify the remote VPN address pool in access-list 1 so that it gets translated.
cheers,
Seb.
07-11-2019 02:51 AM
Hi there,
For the most part you have your ports defined in the wrong part of the ACL. Remember you are placing the ACL INbound, so you section relating to WWW, DOMAIN, etc will require the known port to be specified at the source port and the destination port will be a ephemeral port (so best left undefined, ie any). So you will have:
! access-list 150 permit tcp any eq www any access-list 150 permit tcp any eq 8080 any access-list 150 permit tcp any eq 443 any !
Since you are implementing this on a router you should really take the time to implement ZBF which will then handle this return traffic dynamically without you needing to configure it explicitly.
https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html
cheers,
Seb.
07-11-2019 03:24 AM
Thanks Seb !!!
Your pointers regarding ANY ANY point taken ;-)
It solved the issue about the inside network having access to the outside (internettet) THANKS !!
But now my VPN (remote access) can't access the outside (internet) any clue ??
Will ZBF solve that issue ??
I will look into ZBF as soon as possible
Her is my new ACL:
Extended IP access list 111
10 permit udp any eq domain any (63 matches)
20 permit tcp any eq domain any
30 permit tcp any eq www any (51 matches)
40 permit tcp any eq 8080 any
50 permit tcp any eq 443 any (4206 matches)
60 permit tcp any eq 587 any
70 permit tcp any eq 143 any
80 permit tcp any eq ftp-data any
90 permit tcp any eq ftp any
100 permit tcp any eq 10000 any
110 permit udp any eq isakmp any (11 matches)
120 permit udp any eq 10000 any
130 permit udp any eq 50 any
140 permit udp any eq non500-isakmp any
150 permit udp any eq 1000 any
160 permit udp any eq rip any
07-11-2019 03:51 AM
Was the remote access VPN working before the ACL change??
Assuming you are using a VPN 'full tunnel' then you need to add ip nat inside to your virtual-template 1 and also specify the remote VPN address pool in access-list 1 so that it gets translated.
cheers,
Seb.
07-11-2019 04:27 AM - edited 07-11-2019 04:27 AM
Tanks a lot Seb ;-)
It was the IP NAT INSIDE to the VIRTUAL-TEMPLATE 1 TYPE TUNNEL there was missing
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide