Sorry Richard but I do not

momentousltd · ‎04-09-2016

Hello. I have the following configuration and I wonder if I can allow all outgoing traffic without using ip inspect. Perhaps with an outgoing access rule. I want to continue blocking incoming traffic as I do.

Thank you.

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname BasicRouter
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxx
enable password 7 xxxxxxxxxxxxxxxxxx
!
no aaa new-model
!
!
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.2.255
!
ip dhcp pool HOME_DHCP
   network 10.0.0.0 255.255.252.0
   default-router 10.0.0.254
   dns-server 8.8.8.8 8.8.4.4
   lease 5
!
!
ip inspect name FIREWALL_OUT udp
ip inspect name FIREWALL_OUT tcp
ip inspect name FIREWALL_OUT icmp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
username apant privilege 0 password 7 xxxxxxxxxxxxxxxxxxxxxx
!
!
archive
log config
hidekeys
!
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Vlan1
ip address 10.0.0.254 255.255.252.0
ip nat inside
ip virtual-reassembly
!
interface Dialer0
ip address negotiated
ip access-group FIREWALL_IN in
ip inspect FIREWALL_OUT out
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp pap sent-username xxxxxx@xxxx.xxxx password 7 xxxxxxxxxxxxxx
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface Dialer0 overload
ip nat inside source static tcp 10.0.0.4 5730 interface Dialer0 5730
ip nat inside source static udp 10.0.0.4 5730 interface Dialer0 5730
ip nat inside source static tcp 10.0.0.1 44445 interface Dialer0 44445
ip nat inside source static udp 10.0.0.1 44445 interface Dialer0 44445
ip nat inside source static tcp 10.0.0.253 44444 interface Dialer0 44444
ip nat inside source static udp 10.0.0.253 44444 interface Dialer0 44444
!
ip access-list extended FIREWALL_IN
permit tcp any any eq 44445
permit udp any any eq 44445
permit tcp any any eq 5730
permit udp any any eq 5730
permit tcp any any eq 44444
permit udp any any eq 44444
deny   ip any any
!
access-list 100 permit ip 10.0.0.0 0.0.3.255 any
!
!
!
control-plane
!
line con 0
no modem enable
line aux 0
line vty 0 4
exec-timeout 30 0
password 7 xxxxxxxxxxx
login local
!
scheduler max-task-time 5000
end

momentousltd · ‎04-09-2016

I also realize now that with the same configuration I can ping internet from PCs but not from cisco.

Richard Burts · ‎04-16-2016

I am a bit puzzled by this post. You tell us that "I want to continue blocking incoming traffic as I do." and then you ask if you can remove ip inspect. But ip inspect is the essence of how you are currently blocking incoming traffic.

And I am not sure that I understand the comment about pinging the Internet from cisco. Are you saying that if you telnet to the router and then from the telnet session attempt to ping Internet resources that the ping fails? Does it fail when you attempt to ping using an IP address? Or only fail when you attempt to ping by name? (I do not see any DNS server configured for the router so ping by name would fail because it can not resolve the name to an IP address)

HTH

Rick

HTH

Rick

momentousltd · ‎04-16-2016

Sorry Richard but I do not know why name-servers was not pasted into the post. I have name servers.

ip inspect name FIREWALL_OUT udp
ip inspect name FIREWALL_OUT tcp
ip inspect name FIREWALL_OUT icmp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip name-server 8.8.8.8
ip name-server 8.8.4.4

And yes, I cannot ping internet when I telnet to router. I tried

ping 8.8.8.8

ping 8.8.8.8 source vlan 1

ping 8.8.8.8 source dialer 0

Nothing works. Pinging from PCs connected to vlan 1 works great.

Now, about incoming traffic, I thing I currently block it with FIREWALL_IN access list. I think that ip inspect is used to allow outgoing traffic.

Excuse me if I am confused. I am new to cisco routers.

Thank you.

momentousltd · ‎04-29-2016

Richard I found out that reflexive access lists is the solution to avoid ip inspect. So everything is ok with that.

Investigating more the problem of pinging from router I also realized that router can ping internet addresses for some seconds that had previously pinged from a PC !!! After some seconds can't ping !

For example if I ping 8.8.8.8 from my pc, router can also ping 8.8.8.8 for some seconds !

Richard Burts · ‎04-29-2016

I am glad that you have found reflexive access lists and that they provide a solution for your requirements. I am not sure what would cause the issue that the router can ping only if the PC has pinged and then the router can ping only for a short time. My first thought was that it might relate to something that gets created and then times out, perhaps like an entry in the arp table or in the address translate table. Then I thought that perhaps it might be related to your reflexive access lists. Is it possible that the PC ping creates and entry that then allows traffic from the router ping and then the PC entry in the reflexive access list times out?

HTH

Rick

HTH

Rick

momentousltd · ‎04-30-2016

The same thing happens using ip inspect. Not only using reflexive ACLs. The arp tables do not show any temporary created entry. Trying to debug with "debug ip packet detail" I see that before pinging from pc icmp reply is blocked (access denied). If I ping from pc first then this line does not appear and pinging from router works. It looks like ACLs are ignored when pinging from router. I also tried "ping 8.8.8.8 source vlan 1" with failure again... I put the same configuration in GNS3 to reproduce the topology and I get the same results.

Richard Burts · ‎04-30-2016

It is very interesting that your test shows that in normal operation the ICMP reply is blocked but after the PC pings then the icmp reply to router ping is not blocked for a short while and then is blocked again. I would not say that the ACL is ignored but would say that the ACL is being used and that the ping from the PC creates a dynamic entry in the ACL which then allows the router ping but the dynamic entry times out and then the router ping is denied again.

I would suggest this to you to test further. Do a show access-list for the ACL applied inbound on the outside interface. then ping from the PC and then do another show access-list. Check the two outputs and I predict that there will be a dynamic entry for the ping in the second output that is not present in the first output.

HTH

Rick

HTH

Rick

momentousltd · ‎04-30-2016

Hi Richard. I tried what you told me in both cases. Ip inspect and reflexive lists.

1. In case of ip inspect no ACL change happens.

2. In case of reflexive ACL a dynamically reflexive ACL is created and is alive for a period of time that is set with "ip reflexive-list timeout 30". The problem is that this dynamically created ACL is not created when pinging from router.

In case of ip inspect, pinging from router stops in less than 5 seconds after pinging from pc is finished.

Richard Burts · ‎04-30-2016

Thanks for the additional information. It makes it pretty clear that ping from PC dynamically creates entries that ping from the router does not. So if it is important that ping from the router should work then I suggest that you should configure entries in the access list to permit ping from the router and not depend on dynamic entries for the router access.

HTH

Rick

HTH

Rick

Allow all outgoing traffic without inspect