10-08-2015 03:45 PM - edited 03-05-2019 02:29 AM
Hi all,
I am currently building an object-group based ACL for use on my Internet-facing router (A Cisco 897VA-K9 running IOS 15.3-3.M5)
I have defined my object-groups and created an ACL entry for them but it appears traffic which matches the objects in the object-group is still being blocked. I feel like i'm doing something wrong!
Here's my config (cut down to only show relevant sections):
object-group service MerakiPorts
udp eq 7351
udp eq 1812
tcp eq 7734
tcp eq 7752
!
object-group network MerakiServers
host 54.193.207.248
host 64.62.142.12
host 64.62.142.2
185.17.255.128 255.255.255.128
185.92.120.0 255.255.255.128
199.231.78.0 255.255.255.0
50.115.86.96 255.255.255.224
!
object-group service PSNPorts
udp eq 3478
udp eq 3479
udp eq 3658
udp eq 10070
!
!
!
interface Dialer0
ip access-group outside-in in
!
!
!
ip access-list extended outside-in
remark ***INBOUND from Internet***
remark ---General web---
permit tcp any any established
permit udp host 208.67.222.222 eq domain any
permit udp host 8.8.8.8 eq domain any
permit udp any eq ntp any
remark ---PING---
permit icmp any any echo-reply
permit icmp any any traceroute
remark ---PS4---
remark >>>General PSN<<<
permit object-group PSNPorts any any
remark ---Synology---
remark >>>BitTorrent<<<
permit tcp any any eq 51413
permit udp any any eq 51413
remark >>>PlexServer<<<
permit tcp any any eq 32400
remark >>>WakeOnLAN<<<
permit udp any any eq echo
remark ---Meraki management---
permit object-group MerakiPorts object-group MerakiServers any log-input
deny ip any any log-input
...And i'm seeing the following logs:
Oct 8 17:07:15.699: %SEC-6-IPACCESSLOGP: list outside-in denied udp 185.17.255.157(7351) (Dialer0 ) -> <my_ip>(46468), 1 packet
Oct 8 17:07:54.752: %SEC-6-IPACCESSLOGP: list outside-in denied udp 64.62.142.12(7351) (Dialer0 ) -> <my_ip>(45313), 7 packets
Oct 8 17:09:54.754: %SEC-6-IPACCESSLOGP: list outside-in denied udp 185.17.255.157(7351) (Dialer0 ) -> <my_ip>(46750), 7 packets
Oct 8 17:09:54.754: %SEC-6-IPACCESSLOGP: list outside-in denied udp 50.115.86.110(7351) (Dialer0 ) -> <my_ip>(44254), 50 packets
Oct 8 17:09:54.754: %SEC-6-IPACCESSLOGP: list outside-in denied udp 54.193.207.248(7351) (Dialer0 ) -> <my_ip>(42183), 8 packets
Any ideas would be greatly appreciated.
Cheers
10-08-2015 09:27 PM
Hi, can you share the
sh object-groups and sh access-list outside-in
just to see what it looks like
thanks
Richard
10-09-2015 12:15 AM
To my knowledge, putting the service object group into the protocol field of the ACE only filters on the destination. But the denied traffic in your log is return-traffic for sessions that are originated in your network.
The easiest would be to handle return traffic by activating a statefull inspection like the following:
ip inspect name FW tcp router-traffic ip inspect name FW udp router-traffic ip inspect name FW icmp router-traffic ip inspect name FW ftp ! interface dialer 0 ip inspect FW out
08-03-2017 09:36 AM
This is an old message thread and it might have been solved already in which case I apologize for the late entry.
It appears to me that the permit line is scrambled. Shouldn't it be
permit object-group MerakiServers object-group MerakiPorts any log-input
rather than
permit object-group MerakiPorts object-group MerakiServers any log-input
In other words, IP addresses before ports rather than after?
08-03-2017 03:09 PM
No, the object-group with the services is located correctly where normally the protocol is specified. That is correct.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: