cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2021
Views
0
Helpful
9
Replies

Outside in ACL blocks Inside access to Internet

DON BROWN
Level 1
Level 1

When I apply the access lists to D3 interface inbound access is restricted correctly but inside LAN loses Internet

Before applying the ACL's to D3 interface
   ping 8.8.8.8 sour  vlan1     works
After applying
   ping 8.8.8.8 sour  vlan1     fails

Partial Config

interface Vlan1
 description Internal LAN
 ip address 192.168.0.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452

interface Dialer3
 description ADSL Connection
 ip address 165.1.1.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip access-group OutsideIn in
 ip access-group OutsideOut out


ip nat inside source list 22 interface Dialer3 overload
ip nat inside source static tcp 192.168.0.103 25 165.1.1.1 25 extendable
ip nat inside source static tcp 192.168.0.103 43 165.1.1.1 43 extendable
ip nat inside source static tcp 192.168.0.103 80 165.1.1.1 80 extendable
ip nat inside source static tcp 192.168.0.103 443 165.1.1.1 443 extendable
ip nat inside source static tcp 192.168.0.103 3389 165.1.1.1 3389 extendable
ip nat inside source static tcp 192.168.0.101 3390 165.1.1.1 3390 extendable
ip nat inside source static tcp 192.168.0.102 3389 165.1.1.1 3391 extendable
ip route 0.0.0.0 0.0.0.0 Dialer3


Extended IP access list OutsideIn
    5 permit tcp any host 165.1.1.1 eq 22 (49995 matches)
    10 permit tcp any host 165.1.1.1 eq smtp (226 matches)
    20 permit tcp any host 165.1.1.1 eq whois
    30 permit tcp any host 165.1.1.1 eq www (4 matches)
    31 permit tcp host 210.1.1.1 165.1.1.1 0.0.0.255 (49609 matches)
    50 permit tcp any any established (108 matches)
    60 evaluate tcptraffic

#Lines 50 and 60 have been added and removed in testing with no difference

Extended IP access list OutsideOut
    10 permit ip any any reflect tcptraffic (5502 matches)

#I initially did not have an out access list specified on the D3 interface

I have also added and tried with no change

ip inspect name fw tcp
ip inspect name fw udp
ip inspect name fw icmp

interface Dialer3

 ip inspect fw out

Would be very happy to find what I am missing ... please

Thank you for any assistance.

Don

1 Accepted Solution

Accepted Solutions

I will then apply and test.

Yes, that's all you need for CBAC.

View solution in original post

9 Replies 9

Hello

It seems you have a mixture of an reflective acl and also CBAC applied.

So which one do you want to use, I am guess it the Reflective ACL as you stated the cbac was additionally added --is this correct?

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Yes you are correct.

Initially I had reflective and when that was not working correctly I remove reflective and applied CBAC which also did not provide desired result.

I cannot see why when the acl is applied to the dialer3 interface that it stops Internet access and I do not know how to debug this.

Appreciate you replying - any thoughts ?

First you should clean up the config and just focus on a correct CBAC-implementation:

  1. Remove the ACL OutsideOut from Dialer3
  2. Remove the evaluate- and established-statements from ACL OutsideIn
  3. Keep the outgoing inspection on Dialer3
  4. add the keyword "router-traffic" to the tcp,udp and icmp inspect rules
  5. based on your need, add more protocol inspections like ftp

Thanks Karsten,

I have removed the OutsideOut from D3

I have removed the evaluate and established from OutsideIn

When you suggest keeping the outgoing inspection on D3 you mean keep the OutsideIn inwards inspection ????

What will the router-traffic do to the CBAC inspect rules ?

At this stage if I can just get the inward restrictions on the outside interface and still retain Internet access for the inside LAN then I can expand the ACL as required.  My main issue is when I apply the inward ACL to D3 I lose internet access from the inside.

Appreciate your response - any other suggestions ?

Thanks

When you suggest keeping the outgoing inspection on D3 you mean keep the OutsideIn inwards inspection ????

no, use it in the same way as you have configured it. The Inspection needs to "see" the initial packet of a connection. This can be in an internal interface in the incoming direction, or as here on the external interface in the outgoing direction ("ip inspect fw out").

What will the router-traffic do to the CBAC inspect rules ?

If the inspection is applied on an external interface in the outgoing direction, the keyword "router-traffic" tells the inspection to also look at traffic that is generated by the router. That could be a ping from the router, an outgoing NTP-request or something like that.

My main issue is when I apply the inward ACL to D3 I lose internet access from the inside.

That is what CBAC is for. Allow all sessions that are "seen" by the inspection also if there is an restrictive ACL on the outside.

Thank you Karsten,

I am not sure I understand you suggestion so I have included the changes you have suggested below.  Could you confirm this is as you have suggested or if not show how you are suggesting.

I will then apply and test.

ip inspect name fw tcp router-traffic
ip inspect name fw udp router-traffic
ip inspect name fw icmp router-traffic

interface Vlan1
 description Internal LAN
 ip address 192.168.0.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452

interface Dialer3
 description ADSL Connection
 ip address 165.1.1.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip access-group OutsideIn in
 ip inspect fw out

Extended IP access list OutsideIn
    5 permit tcp any host 165.1.1.1 eq 22 (49995 matches)
    10 permit tcp any host 165.1.1.1 eq smtp (226 matches)
    20 permit tcp any host 165.1.1.1 eq whois
    30 permit tcp any host 165.1.1.1 eq www (4 matches)
    31 permit tcp host 210.1.1.1 165.1.1.1 0.0.0.255 (49609 matches)

Thank you for your response - I appreciate your assistance

I will then apply and test.

Yes, that's all you need for CBAC.

Thank you Karsten!

I have made the changes and tested and it appears to be working as required.

The addition of router-traffic to the IP Inspect seems to have made the difference as I believe I had actually tried all the other permutations of cbac and reflective acl.

I will have to read up on the difference of omitting/adding the router-traffic has made the difference.

Thank you for your assistance - it is very much appreciated!!

Hello

If you wish to keep th CBAC then:

no IP extended access list OutsideOut  

IP access-list extented OutsideIn
no 50
no 60

interface Dialer3
no ip access-group OutsideOut out
ip inspect fw out
ip access-group OutsideIn in

Basic CBAC - Would really have an acl that denies all initiated traffic from outside ( see below) but in keeping with your existing inbound acl your are allowing some outside initiated traffic in.

Personally I would only allow certain traffic from outside, such has routing protocol or bootp for dynamic addressing

IP access-list extended OutsideIn
 deny ip any any log

ip inspect name fw tcp
ip inspect name fw udp
ip inspect name fw icmp

iinterface Dialer3
ip inspect fw out
ip access-group OutsideIn in

res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: