01-31-2013 04:03 AM - edited 03-07-2019 11:25 AM
Hi,
I run Cisco 861 to connect a small LAN to the Internet. The router provides DHCP and DNS to the local users and does NAT to map to one public IP. To secure the router I followed the steps given at
However, I encounter two problems now:
1) When I bind an access-list to the inside-interface, DHCP stops functioning. For the beginning, the access-list is very permissive:
access-list 102 permit tcp 192.168.43.0 0.0.0.255 any
access-list 102 permit udp 192.168.43.0 0.0.0.255 any
access-list 102 permit icmp 192.168.43.0 0.0.0.255 any
access-list 102 permit ip 192.168.43.0 0.0.0.255 any
Additionally, for the firewall to work, the interface is inspecting packets that are coming in:
ip inspect name firewall http timeout 3600
ip inspect name firewall tcp timeout 3600
ip inspect name firewall udp timeout 15
2) When I now bind an access-list to the outside-interface, communication to the internet is totally blocked:
access-list 112 permit icmp any any
access-list 112 deny ip any any log
See the appended config for full details. Without the access-lists, the setup works perfectly.
Which part am I doing wrong? Any help is appreciated,
Benjamin
01-31-2013 07:39 AM
Hi!
1)
For your problem with the DHCP:
When hosts trying to get an IP-address for the first time they do not have an IP-address so your ACL 102 is blocking them for getting one.
The solution is to add an extra line in you ACL 102:
access-list 102 permit udp any any eq bootpc (or bootps, I'm not sure, you will have to try).
2)
I think there is the same problem here, you are blocking DHCP. Try to add the same line to that ACL too and see if that fixes it.
02-01-2013 07:18 AM
Hi,
your proposal solves the first issue. Thanks!
However, the second issue remains. I can't access the web from the inside LAN.
show ip access-lists gives:
Extended IP access list 101
10 permit ip 192.168.43.0 0.0.0.255 any (567952 matches)
Extended IP access list 112
10 permit icmp any any (14 matches)
20 permit udp any any eq bootpc (5 matches)
30 permit udp any any eq bootps
40 deny ip any any log (1920 matches)
Extended IP access list 102
10 permit udp any any eq bootpc
20 permit udp any any eq bootps (52 matches)
40 permit tcp 192.168.43.0 0.0.0.255 any (170963 matches)
50 permit udp 192.168.43.0 0.0.0.255 any (227216 matches)
60 permit icmp 192.168.43.0 0.0.0.255 any (61 matches)
70 deny ip any any (15 matches)
I've changed the inspection rule (bound to incoming packets on the internal interface) to read:
ip inspect name firewall udp timeout 15
ip inspect name firewall tcp timeout 3600
ip inspect name firewall bootpc
ip inspect name firewall bootps
I'm not sure if letting through bootpc is a good idea here, just did it for testing purposes.
Any further ideas?
02-01-2013 08:15 AM
Hi again.
Good to hear that something works
Is the router itself able to reach the internet?
For the "inspect ... bootpc": It doesn't have to be there, there is no need for it. Bootpc and bootps is UDP so it's already inspected.
Aparently the traffic returning is getting dropped... It's like the firewall isn't letting through the return-traffic...
Other than that I'm kind of clueless at the moment... What you can do is to try some debugs:
debug ip inspect events
debug ip inspect detail
debug ip inspect tcp
debug ip inspect udp
Try them one at a time and see what result you get. If you are connected using telnet/ssh; use "terminal monitor" to see these commands.
02-01-2013 08:46 AM
Hi,
on the router, doing e.g. telnet www.google.com 80 doesn't work either with the extern ACL switched on.
debug ip inspect events gives alot of lines like the following (list 112 was renamed to list extern):
005488: Feb 1 17:35:29.651 MEZ: FIREWALL sent a TCP pkt (***.***.***.***:32244) tcp flag:0x4 -> ***.***.***.***:53986 seq 0 ack 0 wnd 2048, FastEthernet4
005489: Feb 1 17:35:29.651 MEZ: FIREWALL sent a TCP pkt (***.***.***.***:53986) tcp flag:0x4 -> ***.***.***.***:32244 seq 325246413 ack 0 wnd 0, Vlan1
005490: Feb 1 17:35:29.679 MEZ: %SEC-6-IPACCESSLOGP: list extern denied tcp ***.***.***.***(80) -> ***.***.***.***(50057), 1 packet
005491: Feb 1 17:35:30.619 MEZ: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 315 packets
005492: Feb 1 17:35:30.707 MEZ: %SEC-6-IPACCESSLOGP: list extern denied udp ***.***.***.***(57851) -> ***.***.***.***(20370), 1 packet
debug ip inspect detaill gives output like the following. The "denied" messages occur relatively seldom:
007165: Feb 1 17:39:42.507 MEZ: FIREWALL: Finding pregen session for src_tableid:0, src_addr:192.168.43.139, src_port:20370, dst_tableid:0, dst_addr:***.***.***.***, dst_port:15756
007166: Feb 1 17:39:42.507 MEZ: FIREWALL: Finding pregen session for src_tableid:0, src_addr:192.168.43.139, src_port:20370, dst_tableid:0, dst_addr:***.***.***.***, dst_port:15756
007167: Feb 1 17:39:42.691 MEZ: %SEC-6-IPACCESSLOGP: list extern denied tcp ***.***.***.***(80) -> ***.***.***.***(59311), 1 packet
debug ip inspect tcp/udp does not exist on my router
Does this help?
02-01-2013 11:16 AM
If you are using access-list 112 on your outside interface you don't have a rule allowing access from your internal addresses to the Internet. The only two things you are allowing on the outside interface are:
access-list 112 permit icmp any any (which is ping)
access-list 112 deny ip any any log (your traffic gets denied here)
Make sure your access-list to allow the traffic (after you create it) is before the deny access-list.
Also make sure your default route is setup correctly and nat is configured.
02-01-2013 01:01 PM
He is using CBAC, which should allow the return-traffic, eventhough there is a ACL on the outside-interface.
02-01-2013 01:03 PM
The debugs didn't help a bit
Sorry, I'm clueless atm... If you have advanced IP services or avanced enterprise IOS you could configure Zone-based Firewall instead, which is anewer and better IOS firewall.
02-02-2013 06:07 AM
default route is set to point to the internet-modem (see my config) and nat works properly without the CBAC.
02-02-2013 08:24 AM
So your "outside" interface has received an address via DHCP?
Please post your current ACLs.
Sent from Cisco Technical Support iPhone App
02-02-2013 09:53 AM
As I didn't (couldn't, because of my users) restart the router, it still uses its address, that was obtained before the access-list extern was brought up. Anyway see my ACLs here: As you can verify, bootpc is working with the ACL activated:
Extended IP access list 101
10 permit ip 192.168.43.0 0.0.0.255 any (950718 matches)
Extended IP access list extern
10 permit icmp any any (64 matches)
20 permit udp any any eq bootpc (26 matches)
30 permit udp any any eq bootps
40 deny ip any any log (4732 matches)
Extended IP access list intern
10 permit udp any any eq bootpc (1 match)
20 permit udp any any eq bootps (5674 matches)
40 permit tcp 192.168.43.0 0.0.0.255 any (10637534 matches)
50 permit udp 192.168.43.0 0.0.0.255 any (4528087 matches)
60 permit icmp 192.168.43.0 0.0.0.255 any (4605 matches)
70 deny ip any any (10578 matches)
02-01-2013 09:20 PM
I think you need to add "permit udp any any eq bootpc" to the top of ACL 112, otherwise your 'WAN' interface isn't going to get a DHCP address.
ACL112 should look like this:
access-list 112 permit udp any any eq bootpc
access-list 112 permit icmp any any
access-list 112 deny ip any any log
Once added, confirm Fa4 picks up an address via "sh int fa 4" or "sh ip int brief".
If this solves it, Henrik deserves credit as he pointed this out in his original post.
HTH
Mitch
02-02-2013 06:05 AM
Hi Mitch,
I did this after Hendrik's first proposal, see my second post (Ok, the entries are in different order, but bootpc permission comes before ip-any denial, so everything should be fine).
Thanks,
Benjamin
02-03-2013 07:23 PM
Hi,
I partly solved the second issue:
The router was configured to provide DNS to my local clients. In order to resolve the name queries the router needs to query DNS servers. Strangely, it can't. The inspection rule defined for the "inside"-interface doesn't effect the router itself, only the machines connected to it. Also, when I set the rule on the "outside"-interface, it doesn't work either.
So I changed my DHCP settings to provide external DNS-server-IPs to the clients. This way ip services work for the clients in the local network (Most services. VPN by PPTP is not working right now). So after all, it was a DNS problem.
However, this solution is not satisfying, as I also need inspection to work on the router for several purposes. I suspect I miss(-understand) some important point in my configuration. I post my new config here. Maybe someone has ideas why inspection only works behind the router, but not on the router?
Benjamin
02-07-2013 05:57 AM
Hello again!
Great that you worked that out.
What I think will fix this issue is to change the location of the inspection:
interface Vlan1
no ip inspect firewall in
interface FastEthernet4
ip inspect firewall in out
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide