cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
434
Views
10
Helpful
4
Replies
Highlighted
Beginner

Issues with Access-list on 2911 Router with VPN / remote access

Hi and thanks in advance

 

My 2911 Router is running ok !!

 

But I would like to put some more security on the WAN Interface on the inbound side.

 

But I struggle a little on how to set up the ACL - Every time I assign the ACL to the WAN interface my connection to the outside (the internet) stops on inside networks..

- any clues on what I’m doing wrong ??

 

So this is what I like to achieve :

  1. Only allow (DNS, WWW, IMAP, SMTP & VPN remote access) coming in the WAN interface..
  2. All networks on the inside will have access to the outside..

How do I make sure that I don't shout down the VPN remote access .

Hav I all the right ports

- any special things to be aware off ??

 

 

 

Her is my setup ( ACL + WAN Int )

 

access-list 1 permit 192.168.100.0 0.0.0.225

access-list 1 permit 192.168.50.0 0.0.0.255

 

access-list 150 remark ## WWW - SMTP - IMAP - FTP - DOMAINE - VPN ##

access-list 150 permit udp any any eq domain

access-list 150 permit udp any eq domain any

access-list 150 permit tcp any any eq domain

access-list 150 permit tcp any eq domain any

 

access-list 150 permit tcp any any eq www

access-list 150 permit tcp any any eq 8080

access-list 150 permit tcp any any eq 443

 

access-list 150 permit tcp any any eq 587

access-list 150 permit tcp any any eq 143

 

access-list 150 permit tcp any any eq ftp-data

access-list 150 permit tcp any any eq ftp

 

access-list 150 permit udp any any eq rip

access-list 150 permit igmp any any

access-list 150 permit eigrp any any

 

access-list 150 permit udp any any eq isakmp

access-list 150 permit udp any any eq 1000

access-list 150 permit udp any any eq 10000

access-list 150 permit udp any any eq non500-isakmp

access-list 150 permit udp any any eq 50

access-list 150 permit tcp any any eq 10000

 

----------------------- zip -----------------------

interface GigabitEthernet0/0

 description ISP WAN (Wide Area Network)

 ip address X.X.X.X 255.255.255.252

 ip access-group 150 in

 ip nat outside

 ip virtual-reassembly in

 duplex auto

 speed auto

----------------------- zip -----------------------

 

 

 

 

 

Here is my running config

 

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R2911

!

boot-start-marker

boot system flash c2900-universalk9-mz.SPA.154-3.M.bin

boot-end-marker

!

!

! card type command needed for slot/vwic-slot 0/2

no logging console

enable secret 5 XXXX

!

aaa new-model

!

!         

aaa authentication login userauthen local

aaa authorization network userauthen local 

!

!

aaa session-id common

!

memory-size iomem 25

!

no ipv6 cef

no ip source-route

!

ip dhcp excluded-address 192.168.100.1 192.168.100.49

ip dhcp excluded-address 192.168.50.1 192.168.50.49

!

ip dhcp pool VLAN200

 network X.X.X.X  255.255.255.240

 default-router X.X.X.X 

 dns-server 8.8.8.8 4.4.4.4 

!         

ip dhcp pool VLAN100

 network 192.168.100.0 255.255.255.0

 default-router 192.168.100.1 

 dns-server 192.168.100.1 

!

ip dhcp pool VLAN50

 network 192.168.50.0 255.255.255.0

 default-router 192.168.50.1 

 dns-server 192.168.50.1 

!

!

ip domain name XXXX

ip name-server 208.67.222.222

ip name-server 208.67.220.220

ip name-server 62.243.0.166

ip name-server 194.192.207.166

ip cef

ip cef accounting non-recursive

!

multilink bundle-name authenticated

!

!

!

!         

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-XXXXXX

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-XXXXXX

 revocation-check none

 rsakeypair TP-self-signed-XXXXXX

!

!

crypto pki certificate chain TP-self-signed-XXXXXX

 certificate self-signed 01

  Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

  quit

voice-card 0

!

!

!

!

!

!

!

!

license feature snasw

license udi pid CISCO2911/K9 sn XXXXXXXXX

license accept end user agreement

license boot module c2900 technology-package securityk9

license boot module c2900 technology-package uck9

license boot module c2900 technology-package datak9

hw-module pvdm 0/0

!         

hw-module pvdm 0/1

!

username XXXX password 0 XXX

username XXXX privilege 15 secret 5 XXXX

!

redundancy

!

ip ssh time-out 30

! 

crypto isakmp policy 150

 encr aes 256

 authentication pre-share

 group 2

!

crypto isakmp client configuration group XXXX

 key XXXX

 dns 208.67.222.222 208.67.220.220

 pool REMOTE-VPN-CLIENTS

crypto isakmp profile XXXX-PROFILE

   match identity group XXXX

   client authentication list userauthen

   isakmp authorization list userauthen

   client configuration address initiate

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set XXXX esp-aes 256 esp-sha-hmac 

!

crypto ipsec profile XXXX-VTUNNEL-PROFILE

 set security-association lifetime kilobytes disable

 set security-association lifetime seconds 86400

 set transform-set XXXX 

 set isakmp-profile XXXX-PROFILE

!

!

!

!

!

!

!         

!

!

!

interface Loopback0

 ip address x.x.x.x 255.255.255.0

!

interface Embedded-Service-Engine0/0

 no ip address

!

interface GigabitEthernet0/0

 description ISP WAN (Wide Area Network)

 ip address X.X.X.X 255.255.255.252

 ip nat outside

 ip virtual-reassembly in

 duplex auto

 speed auto

!

interface GigabitEthernet0/1

 description LAN (Local Area Network)

 ip address pool VLAN100

 ip nat inside

 ip virtual-reassembly in

 duplex auto

 speed auto

!

interface GigabitEthernet0/2

 description LAN (Local Area Network)

 ip address pool VLAN50

 ip nat inside

 ip virtual-reassembly in

 duplex auto

 speed auto

!

interface Serial0/0/0

 no ip address

!

interface FastEthernet0/1/0

 switchport access vlan 200

 no ip address

!

interface FastEthernet0/1/1

 switchport access vlan 200

 no ip address

!

interface FastEthernet0/1/2

 switchport access vlan 200

 no ip address

!         

interface FastEthernet0/1/3

 switchport access vlan 200

 no ip address

!

interface Virtual-Template1 type tunnel

 ip unnumbered GigabitEthernet0/0

 tunnel source GigabitEthernet0/0

 tunnel mode ipsec ipv4

 tunnel protection ipsec profile XXXX-VTUNNEL-PROFILE

!

interface Vlan1

 no ip address

!

interface Vlan50

 description GUEST NETWORK DHCP POOL

 no ip address

 ip helper-address x.x.x.x

 ip nat inside

 ip virtual-reassembly in

!

interface Vlan100

 description INTERNAL NETWORK DHCP POOL

 ip address dhcp

 ip helper-address x.x.x.x

 ip nat inside

 ip virtual-reassembly in

!

interface Vlan200

 description HWIC-4ESW_LAN - SERVER PARK

 ip address x.x.x.x 255.255.255.224

 ip helper-address x.x.x.x

 ip nat inside

 ip virtual-reassembly in

!

!

!

router eigrp 100

 network 80.0.0.0

 network 87.0.0.0

 network 192.168.0.0

!

router ospf 123

 network 80.0.0.0 0.255.255.255 area 0

 network 87.0.0.0 0.255.255.255 area 0

 network 192.0.0.0 0.255.255.255 area 0

!

ip local pool REMOTE-VPN-CLIENTS x.x.x.x. x.x.x.x

ip forward-protocol nd

!

no ip http server

ip http authentication local

ip http secure-server

!

ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 x.x.x.x

!

access-list 1 permit 192.168.100.0 0.0.0.225

access-list 1 permit 192.168.50.0 0.0.0.255

access-list 150 permit udp any any eq domain

access-list 150 permit udp any eq domain any

access-list 150 permit tcp any any eq domain

access-list 150 permit tcp any eq domain any

access-list 150 permit tcp any any eq www

access-list 150 permit tcp any any eq 8080

access-list 150 permit tcp any any eq 443

access-list 150 permit tcp any any eq 587

access-list 150 permit tcp any any eq 143

access-list 150 permit tcp any any eq ftp-data

access-list 150 permit tcp any any eq ftp

access-list 150 permit udp any any eq rip

access-list 150 permit igmp any any

access-list 150 permit eigrp any any

access-list 150 permit udp any any eq isakmp

access-list 150 permit udp any any eq 1000

access-list 150 permit udp any any eq 10000

access-list 150 permit udp any any eq non500-isakmp

access-list 150 permit udp any any eq 50

access-list 150 permit tcp any any eq 10000

!

no cdp run

!

control-plane

!

mgcp profile default

!

gatekeeper

 shutdown

!

telephony-service

 max-ephones 10

 max-conferences 8 gain -6

 transfer-system full-consult

!

!

line con 0

line aux 0

line 2

 no activation-character

 no exec

 transport preferred none

 transport input all

 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

 stopbits 1

line vty 0 4

 transport input ssh

line vty 5 15

 transport input ssh

!

scheduler allocate 20000 1000

end

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
VIP Advisor

Hi there,

For the most part you have your ports defined in the wrong part of the ACL. Remember you are placing the ACL INbound, so you section relating to WWW, DOMAIN, etc will require the known port to be specified at the source port and the destination port will be a ephemeral port (so best left undefined, ie any). So you will have:

!
access-list 150 permit tcp any eq www any
access-list 150 permit tcp any eq 8080 any
access-list 150 permit tcp any eq 443 any
!

Since you are implementing this on a router you should really take the time to implement ZBF which will then handle this return traffic dynamically without you needing to configure it explicitly.

https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html

 

cheers,

Seb.

View solution in original post

Highlighted

Was the remote access VPN working before the ACL change??

 

Assuming you are using a VPN 'full tunnel' then you need to add ip nat inside to your virtual-template 1 and also specify the remote VPN address pool in access-list 1 so that it gets translated.

 

cheers,
Seb.

View solution in original post

4 REPLIES 4
Highlighted
VIP Advisor

Hi there,

For the most part you have your ports defined in the wrong part of the ACL. Remember you are placing the ACL INbound, so you section relating to WWW, DOMAIN, etc will require the known port to be specified at the source port and the destination port will be a ephemeral port (so best left undefined, ie any). So you will have:

!
access-list 150 permit tcp any eq www any
access-list 150 permit tcp any eq 8080 any
access-list 150 permit tcp any eq 443 any
!

Since you are implementing this on a router you should really take the time to implement ZBF which will then handle this return traffic dynamically without you needing to configure it explicitly.

https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html

 

cheers,

Seb.

View solution in original post

Highlighted

Thanks Seb !!!

 

Your pointers regarding ANY ANY point taken ;-)

It solved the issue about the inside network having access to the outside (internettet) THANKS !!

 

But now my VPN (remote access) can't access the outside (internet) any clue  ??

Will ZBF solve that issue ??

 

I will look into ZBF as soon as possible 

 

Her is my new ACL:

 

Extended IP access list 111

    10 permit udp any eq domain any (63 matches)

    20 permit tcp any eq domain any

    30 permit tcp any eq www any (51 matches)

    40 permit tcp any eq 8080 any

    50 permit tcp any eq 443 any (4206 matches)

    60 permit tcp any eq 587 any

    70 permit tcp any eq 143 any

    80 permit tcp any eq ftp-data any

    90 permit tcp any eq ftp any

    100 permit tcp any eq 10000 any

    110 permit udp any eq isakmp any (11 matches)

    120 permit udp any eq 10000 any

    130 permit udp any eq 50 any

    140 permit udp any eq non500-isakmp any

    150 permit udp any eq 1000 any

    160 permit udp any eq rip any

 

 

Highlighted

Was the remote access VPN working before the ACL change??

 

Assuming you are using a VPN 'full tunnel' then you need to add ip nat inside to your virtual-template 1 and also specify the remote VPN address pool in access-list 1 so that it gets translated.

 

cheers,
Seb.

View solution in original post

Highlighted

Tanks a lot Seb ;-)

 

It was the IP NAT INSIDE to the VIRTUAL-TEMPLATE 1 TYPE TUNNEL there was missing