Solved: Question: ACLs on Cisco 881

Joerg - · ‎02-02-2017

Good morning everyone,

I have a question regarding ACLs on a Cisco 881.

In order to set ACLs on my inbound interface (Dialer 1) I wrote a set of access rules

access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any unreachable
access-list 111 permit object-group services-in any any
access-list 111 permit object-group vpn-in any any
access-list 111 permit object-group voip-in any any
access-list 111 deny ip any any

But when I apply the first rule in the set the inbound ping stops working, AnyConnect VPN sessions are cut, SIP calls are destroyed and the DNS resolution stops working. Outbound ping to IPs is still working.

The config is as follows:

version 15.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco_881
!
boot-start-marker
boot system flash c880data-universalk9-mz.154-3.M4.bin
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
enable secret 4 XXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login clientauth local
aaa authentication login sslvpn local
aaa authorization network groupauth local
!
!
aaa session-id unique
memory-size iomem 10
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
!
crypto pki trustpoint Trustpoint_SSLVPN
 enrollment selfsigned
 serial-number
 subject-name CN=vpn.XXX.de
 revocation-check crl
 rsakeypair RSA_NXXX
!
!
crypto pki certificate chain Trustpoint_SSLVPN
 certificate self-signed 03
YYYYYY YYYYYY YYYYYY
        quit
!
!
no ip source-route
no ip gratuitous-arps
!
!
ip domain name nieder.XXX
ip name-server 194.25.0.60
ip name-server 194.25.0.52
ip name-server 8.8.8.8
ip inspect name myfw tcp
ip inspect name myfw udp
ip inspect name myfw sip
ip inspect name myfw rtsp
!
ip cef
no ipv6 cef
!
!
cts logging verbose
license udi pid CISCO881-SEC-K9 sn FCZ112345678
license boot module c880-data level advsecurity
!
!
object-group network cameras
 description Netzwerk-Kameras
 host 192.168.178.220
 host 192.168.178.221
 host 192.168.178.222
 host 192.168.178.223
!
object-group service services-in
 description Netzwerkdienste
 tcp eq domain
 udp eq domain
 udp eq ntp
!
object-group service voip-in
 description voip inbound
 udp eq 5060
 udp eq 5070
 udp eq 5080
 udp range 30000 31000
 udp range 40000 41000
!
object-group network voip-servers
 description VoIP-Server Telekom und sipgate
 217.0.0.0 255.248.0.0
 217.10.64.0 255.255.240.0
 217.116.112.0 255.255.240.0
 212.9.32.0 255.255.224.0
!
object-group service vpn-in
 description VPN inbound
 esp
 udp eq 443
 udp eq isakmp
 udp eq non500-isakmp
 udq eq 3000
 tcp eq www
 tcp eq 443
 tcp eq 10000
 udp eq 3000
 !
username admin privilege 15 secret 4 XYZABC
!
crypto vpn anyconnect flash:/webvpn/anyconnect-win-4.4.00243-webdeploy-k9.pkg sequence 1
!
crypto vpn anyconnect flash:/webvpn/anyconnect-macos-4.4.00243-webdeploy-k9.pkg sequence 2
!
crypto vpn anyconnect profile VPN_PROFILE flash:/RDProfile.xsd
!
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 switchport mode trunk
 no ip address
!
interface FastEthernet4
 description $ETH-WAN$
 no ip address
 no ip proxy-arp
 ip flow ingress
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Virtual-Template1
 ip unnumbered Dialer1
!
interface Vlan1
 description LAN
 ip address 192.168.178.254 255.255.255.0
 ip access-group 102 in
 ip access-group 102 out
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Vlan10
 description Voice-VLAN
 ip address 192.168.10.254 255.255.255.0
 ip access-group 103 in
 ip access-group 103 out
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Vlan100
 description Guest-VLAN
 ip address 172.20.2.254 255.255.255.0
 ip access-group 104 in
 ip access-group 104 out
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Dialer1
 description VDSL Einwahl-Interface
 ip ddns update hostname vpn.XXX.de
 ip ddns update Strato
 ip ddns update Niederelvenich
 ip address negotiated
 ip access-group 111 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1452
 ip flow ingress
 ip nat outside
 ip inspect myfw out
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1452
 load-interval 30
 dialer pool 1
 dialer idle-timeout 0
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname 1234567890@t-online.de
 ppp chap password 0 12345678
 ppp ipcp dns request
 ppp ipcp mask request
 ppp ipcp route default
 no cdp enable
!
ip local pool vpnpool 10.10.10.1 10.10.10.10
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
!
no ip ftp passive
ip dns server
ip nat inside source list 101 interface Dialer1 overload
ip ssh version 2
ip scp server enable
!
kron occurrence DSL-Reconnect at 4:00 recurring
 policy-list DSL-Reconnect
!
kron policy-list DSL-Reconnect
 cli clear interface Dialer1
!
dialer-list 1 protocol ip permit
!
access-list 101 permit ip 192.168.178.0 0.0.0.255 any
access-list 101 permit ip 172.20.2.0 0.0.0.255 any
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 102 deny   ip 172.20.2.0 0.0.0.255 192.168.178.0 0.0.0.255
access-list 102 deny   ip 192.168.178.0 0.0.0.255 172.20.2.0 0.0.0.255
access-list 102 permit ip any any
access-list 103 deny   ip 172.20.2.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 103 deny   ip 192.168.10.0 0.0.0.255 172.20.2.0 0.0.0.255
access-list 103 permit ip any any
access-list 104 deny   ip 172.20.2.0 0.0.0.255 192.168.178.0 0.0.0.255
access-list 104 deny   ip 192.168.178.0 0.0.0.255 172.20.2.0 0.0.0.255
access-list 104 deny   ip 172.20.2.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 104 deny   ip 192.168.10.0 0.0.0.255 172.20.2.0 0.0.0.255
access-list 104 permit ip any any
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 length 0
 transport input ssh
!
scheduler allocate 20000 1000
ntp master
ntp server de.pool.ntp.org minpoll 8
!
!
webvpn gateway SSLVPN_Gateway
 ip interface Dialer1 port 443
 ssl encryption aes256-sha1
 ssl trustpoint Trustpoint_SSLVPN
 inservice
 dtls port 3000
 !
webvpn context SSLVPN
 title "VPN"
 color grey
 secondary-color black
 title-color #669999
 login-message "Please log in."
 aaa authentication list sslvpn
 gateway SSLVPN_Gateway
 logging enable
 !
 ssl authenticate verify all
 inservice
 !
 policy group SSLVPN
   functions svc-enabled
   functions svc-required
   timeout idle 86400
   timeout session 1209600
   svc address-pool "vpnpool" netmask 255.255.255.255
   svc keep-client-installed
   svc rekey method new-tunnel
   svc split include 192.168.178.0 255.255.255.0
   mask-urls
 default-group-policy SSLVPN
!
end

If anyone can point me in the right direction it would make my day...

Best regards,

Joerg

Diana Karolina Rojas · ‎02-03-2017

I think the user @mlund is right,

You have to delete this line -"ip access-group 111 in" in your interface before you introduce your access-list. After you introduce your ACL you can apply the ACL again.

regards,

View solution in original post

Diana Karolina Rojas · ‎02-02-2017

Hello Vorname!

A question: When you applied the ACL in your interface, Did you see the counters in the ACL with a "Show access-list 111"? It was doing match? In which ACE? It is necesary to look in it so you can understand how the access list is working and If it is blocking the traffic you mentioned.

Regards!

Joerg - · ‎02-03-2017

Good afternoon and sorry for the delay.

As soon as I apply the very first ACL of the block mentioned above the traffic breaks down...

So sh access-list 111 is pretty clear...

Diana Karolina Rojas · ‎02-03-2017

I think the user @mlund is right,

You have to delete this line -"ip access-group 111 in" in your interface before you introduce your access-list. After you introduce your ACL you can apply the ACL again.

regards,

Joerg - · ‎02-08-2017

Thanks a lot...

Sometimes one is too stupid to notice the most simple things...

mlund · ‎02-02-2017

Hi

If I understand You correct, You have not yet wrote the access-list into the router. And as soon as You start writing and the first line is inserted the problem occurs. If that is the case, it is actually how it should work, and here is the reason.

Because under the "interface dialer 1" there is already a command that is pointing to the access-list (ip access-group 111 in). And as long as this list is not yet configured this line is ignored. But as soon as the first line is configured the access-group 111 in is actually started to be active. Because of the implicit "deny any any" that is always in the bottom of a access-list, the only traffic that will be permitted is this "access-list 111 permit icmp any any administratively-prohibited" anything else will be denyed.

To overcome this You can start with removing the entry from interface dialer.

conf t

int dialer 1

no ip access-group 111 in

then You can start writing the list and after the list is completed, insert the line again with

conf t

int dialer 1

ip access-group 111 in

/Mikael