ACL is not working as expected

bssangeeth · ‎11-04-2013

Hi Everyone,

I have an internet router which is having a server farm switch connected to its fa0/0 port and in fa0/1 is going to ISP. We are using public IPs in both servers and router interfaces. My requirement is to deny unwanted traffic coming from outside network to my servers at the same time, servers in other location need to communicate with my inside servers.

But the problem which i am facing here is, after creating ACL i have placed it as an inbond ACL in fa0/1. The outside to inside traffics are getting blocked as desired, but all my server farm servers are not able to access internet.

If i give ESTABLISHED in ACL, the session which is already open for internet will works fine. But if we close and reopen the browser, then we will not be able to access the internet.

Suppose below are my IP schema.

R1 fa0/1 – 192.168.1.62/30; ISP Gateway – 192.168.1.61/30

R1 fa0/0 – 192.168.1.65/29

Servers – 192.168.1.66 – 70/29; Gateway – 192.168.1.66

Servers in other location 10.1.1.1 Port 3030, 10.2.1.1 Port 3030, 10.3.1.1 Port 3030 etc

Can anyone please help me by sharing a sample ACL, which will work for my above requirement?

Thanks in advance

Sangeeth

cadet alain · ‎11-04-2013

Hi,

the established keyword only works for TCP not for UDP so you surely have your DNS replies which are blocked.

You'd be better off configuring either CBAC or Zone Based Firewall to achieve a stateful behaviour for all type of traffic.

Post your sanitized config and I'll give you the CBAC and ZBF config to achieve your needs.

Regards

Alain

Don't forget to rate helpful posts.

bssangeeth · ‎11-05-2013

Hi Alain,

Thanks for your replay.

Now the router is running with minimum configuration. I have shared below the running config of the router. Please have a look on that and help me by giving a sample ACL config as you promissed

Please note i have changed the IP addresses.

Router#sh run

Building configuration...

Current configuration : 3986 bytes

!

! Last configuration change at 11:49:20 UTC Wed Oct 30 2013

!

version 15.0

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

boot-start-marker

boot-end-marker

!

enable password ****

!

no aaa new-model

!

no ip source-route

!

ip cef

no ip domain lookup

multilink bundle-name authenticated

!

license udi pid CISCO2811 sn FHK091390B9

!

interface FastEthernet0/0

ip address 192.168.1.65 255.255.255.248

ip accounting output-packets

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 192.168.1.62 255.255.255.252

ip accounting output-packets

duplex auto

speed auto

!

ip forward-protocol nd

!

no ip http server

ip route 0.0.0.0 0.0.0.0 192.168.1.61

!

ip access-list extended Allow

permit tcp any any eq www

permit tcp any any eq 443

permit tcp any any eq 8080

permit tcp any any eq domain

permit udp any any eq domain

permit tcp host 10.1.1.1 host 192.168.1.66 eq 3030

permit tcp host 10.1.1.1 host 192.168.1.69 eq 3030

permit tcp host 10.2.1.1 host 192.168.1.66 eq 3030

permit tcp host 10.2.1.1 host 192.168.1.67 eq 3030

permit tcp host 10.2.1.1 host 192.168.1.69 eq 3030

permit tcp host 10.2.1.1 host 192.168.1.70 eq 3030

deny tcp any any

!

logging history informational

logging trap debugging

logging 10.125.x.x

logging 10.125.x.x1

logging 10.125.x2.x2

!

control-plane

!

privilege interface level 8 shutdown

privilege interface level 8 encapsulation ppp

privilege interface level 8 ip address

privilege interface level 8 ip

privilege interface level 8 encapsulation

privilege interface level 8 description

privilege configure level 0 line

privilege configure level 8 ip route

privilege configure level 8 interface

privilege configure level 8 ip

privilege exec level 6 traceroute

privilege exec level 6 ping

privilege exec level 6 configure terminal

privilege exec level 6 configure

privilege exec level 6 show mac-address-table

privilege exec level 6 show running-config

privilege exec level 6 show

privilege exec level 6 clear counters

privilege exec level 6 clear

!

line con 0

line aux 0

line vty 0 4

login local

!

scheduler allocate 20000 1000

end

Thanks in advance

Sangeeth

cadet alain · ‎11-05-2013

Hi,

There is no NAT or IPSec VPN involved ?

How do you want to access inside server? with a static PAT or with a VPN ?

Regards

Alain

Don't forget to rate helpful posts.

bssangeeth · ‎11-05-2013

Hi Alain,

All servers having public IP. These devices may be able to access from outside network at presant. That is the reason i changed those IP and put some private IPs.

Thanks and Regards,

Sangeeth BS

cadet alain · ‎11-05-2013

Hi,

So which server is accessible from WAN, on which service and from which IP ?

Regards

Alain

Don't forget to rate helpful posts.

bssangeeth · ‎11-05-2013

Hi Alain,

Right now all my servers are accessible from WAN (Internet).

I just want

Communication between my remote servers (10.1.1.1, 10.2.1.1) to my server farm servers (192.168.1.66 to 192.168.1.70) with port no 3030
Enable www, https & dns services from internet to server farm servers
And all server farm servers should have internet access without any problem.

If i apply the ACL which i showed in the above running config, the first 2 points works fine, but third point fails.

Hop you understood the scenario.

Thanks and Regards,

Sangeeth BS

Julio Carvajal · ‎11-05-2013

Hello,

Is this ACL supposed to be applied on the WAN interface inbound direction?

Based on the configuration you are actually allowing what you need so there should not be any problem.

As a note I would actually add the deny ip any any at the bottom.

ip access-list extended Allow

permit tcp any any eq www

permit tcp any any eq 443

permit tcp any any eq 8080

permit tcp any any eq domain

permit udp any any eq domain

permit tcp host 10.1.1.1 host 192.168.1.66 eq 3030

permit tcp host 10.1.1.1 host 192.168.1.69 eq 3030

permit tcp host 10.2.1.1 host 192.168.1.66 eq 3030

permit tcp host 10.2.1.1 host 192.168.1.67 eq 3030

permit tcp host 10.2.1.1 host 192.168.1.69 eq 3030

permit tcp host 10.2.1.1 host 192.168.1.70 eq 3030

deny tcp any any

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

cadet alain · ‎11-05-2013

Hi Julio,

with these

permit tcp any any eq domain

permit udp any any eq domain

The inside servers won't receive DNS replies because they don't use port 53 as source so the return traffic must be from port 23 not destined to port 53.

So these 2 lines should be

permit tcp any eq domain any

permit udp any eq domain any

And best would be to specify the DNS server IP addresses to be more specific.

Regards.

Alain

Don't forget to rate helpful posts.