10-08-2015 03:45 PM - edited 03-05-2019 02:29 AM
Hi all,
I am currently building an object-group based ACL for use on my Internet-facing router (A Cisco 897VA-K9 running IOS 15.3-3.M5)
I have defined my object-groups and created an ACL entry for them but it appears traffic which matches the objects in the object-group is still being blocked. I feel like i'm doing something wrong!
Here's my config (cut down to only show relevant sections):
object-group service MerakiPorts
udp eq 7351
udp eq 1812
tcp eq 7734
tcp eq 7752
!
object-group network MerakiServers
host 54.193.207.248
host 64.62.142.12
host 64.62.142.2
185.17.255.128 255.255.255.128
185.92.120.0 255.255.255.128
199.231.78.0 255.255.255.0
50.115.86.96 255.255.255.224
!
object-group service PSNPorts
udp eq 3478
udp eq 3479
udp eq 3658
udp eq 10070
!
!
!
interface Dialer0
ip access-group outside-in in
!
!
!
ip access-list extended outside-in
remark ***INBOUND from Internet***
remark ---General web---
permit tcp any any established
permit udp host 208.67.222.222 eq domain any
permit udp host 8.8.8.8 eq domain any
permit udp any eq ntp any
remark ---PING---
permit icmp any any echo-reply
permit icmp any any traceroute
remark ---PS4---
remark >>>General PSN<<<
permit object-group PSNPorts any any
remark ---Synology---
remark >>>BitTorrent<<<
permit tcp any any eq 51413
permit udp any any eq 51413
remark >>>PlexServer<<<
permit tcp any any eq 32400
remark >>>WakeOnLAN<<<
permit udp any any eq echo
remark ---Meraki management---
permit object-group MerakiPorts object-group MerakiServers any log-input
deny ip any any log-input
...And i'm seeing the following logs:
Oct 8 17:07:15.699: %SEC-6-IPACCESSLOGP: list outside-in denied udp 185.17.255.157(7351) (Dialer0 ) -> <my_ip>(46468), 1 packet
Oct 8 17:07:54.752: %SEC-6-IPACCESSLOGP: list outside-in denied udp 64.62.142.12(7351) (Dialer0 ) -> <my_ip>(45313), 7 packets
Oct 8 17:09:54.754: %SEC-6-IPACCESSLOGP: list outside-in denied udp 185.17.255.157(7351) (Dialer0 ) -> <my_ip>(46750), 7 packets
Oct 8 17:09:54.754: %SEC-6-IPACCESSLOGP: list outside-in denied udp 50.115.86.110(7351) (Dialer0 ) -> <my_ip>(44254), 50 packets
Oct 8 17:09:54.754: %SEC-6-IPACCESSLOGP: list outside-in denied udp 54.193.207.248(7351) (Dialer0 ) -> <my_ip>(42183), 8 packets
Any ideas would be greatly appreciated.
Cheers
10-08-2015 09:27 PM
Hi, can you share the
sh object-groups and sh access-list outside-in
just to see what it looks like
thanks
Richard
10-09-2015 12:15 AM
To my knowledge, putting the service object group into the protocol field of the ACE only filters on the destination. But the denied traffic in your log is return-traffic for sessions that are originated in your network.
The easiest would be to handle return traffic by activating a statefull inspection like the following:
ip inspect name FW tcp router-traffic ip inspect name FW udp router-traffic ip inspect name FW icmp router-traffic ip inspect name FW ftp ! interface dialer 0 ip inspect FW out
08-03-2017 09:36 AM
This is an old message thread and it might have been solved already in which case I apologize for the late entry.
It appears to me that the permit line is scrambled. Shouldn't it be
permit object-group MerakiServers object-group MerakiPorts any log-input
rather than
permit object-group MerakiPorts object-group MerakiServers any log-input
In other words, IP addresses before ports rather than after?
08-03-2017 03:09 PM
No, the object-group with the services is located correctly where normally the protocol is specified. That is correct.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide