08-06-2016 12:56 AM - edited 03-08-2019 06:54 AM
When I apply the access lists to D3 interface inbound access is restricted correctly but inside LAN loses Internet
Before applying the ACL's to D3 interface
ping 8.8.8.8 sour vlan1 works
After applying
ping 8.8.8.8 sour vlan1 fails
Partial Config
interface Vlan1
description Internal LAN
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
interface Dialer3
description ADSL Connection
ip address 165.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip access-group OutsideIn in
ip access-group OutsideOut out
ip nat inside source list 22 interface Dialer3 overload
ip nat inside source static tcp 192.168.0.103 25 165.1.1.1 25 extendable
ip nat inside source static tcp 192.168.0.103 43 165.1.1.1 43 extendable
ip nat inside source static tcp 192.168.0.103 80 165.1.1.1 80 extendable
ip nat inside source static tcp 192.168.0.103 443 165.1.1.1 443 extendable
ip nat inside source static tcp 192.168.0.103 3389 165.1.1.1 3389 extendable
ip nat inside source static tcp 192.168.0.101 3390 165.1.1.1 3390 extendable
ip nat inside source static tcp 192.168.0.102 3389 165.1.1.1 3391 extendable
ip route 0.0.0.0 0.0.0.0 Dialer3
Extended IP access list OutsideIn
5 permit tcp any host 165.1.1.1 eq 22 (49995 matches)
10 permit tcp any host 165.1.1.1 eq smtp (226 matches)
20 permit tcp any host 165.1.1.1 eq whois
30 permit tcp any host 165.1.1.1 eq www (4 matches)
31 permit tcp host 210.1.1.1 165.1.1.1 0.0.0.255 (49609 matches)
50 permit tcp any any established (108 matches)
60 evaluate tcptraffic
#Lines 50 and 60 have been added and removed in testing with no difference
Extended IP access list OutsideOut
10 permit ip any any reflect tcptraffic (5502 matches)
#I initially did not have an out access list specified on the D3 interface
I have also added and tried with no change
ip inspect name fw tcp
ip inspect name fw udp
ip inspect name fw icmp
interface Dialer3
ip inspect fw out
Would be very happy to find what I am missing ... please
Thank you for any assistance.
Don
Solved! Go to Solution.
08-06-2016 04:12 AM
08-06-2016 01:52 AM
Hello
It seems you have a mixture of an reflective acl and also CBAC applied.
So which one do you want to use, I am guess it the Reflective ACL as you stated the cbac was additionally added --is this correct?
res
Paul
08-06-2016 02:28 AM
Yes you are correct.
Initially I had reflective and when that was not working correctly I remove reflective and applied CBAC which also did not provide desired result.
I cannot see why when the acl is applied to the dialer3 interface that it stops Internet access and I do not know how to debug this.
Appreciate you replying - any thoughts ?
08-06-2016 02:34 AM
First you should clean up the config and just focus on a correct CBAC-implementation:
08-06-2016 02:59 AM
Thanks Karsten,
I have removed the OutsideOut from D3
I have removed the evaluate and established from OutsideIn
When you suggest keeping the outgoing inspection on D3 you mean keep the OutsideIn inwards inspection ????
What will the router-traffic do to the CBAC inspect rules ?
At this stage if I can just get the inward restrictions on the outside interface and still retain Internet access for the inside LAN then I can expand the ACL as required. My main issue is when I apply the inward ACL to D3 I lose internet access from the inside.
Appreciate your response - any other suggestions ?
Thanks
08-06-2016 03:14 AM
When you suggest keeping the outgoing inspection on D3 you mean keep the OutsideIn inwards inspection ????
no, use it in the same way as you have configured it. The Inspection needs to "see" the initial packet of a connection. This can be in an internal interface in the incoming direction, or as here on the external interface in the outgoing direction ("ip inspect fw out").
What will the router-traffic do to the CBAC inspect rules ?
If the inspection is applied on an external interface in the outgoing direction, the keyword "router-traffic" tells the inspection to also look at traffic that is generated by the router. That could be a ping from the router, an outgoing NTP-request or something like that.
My main issue is when I apply the inward ACL to D3 I lose internet access from the inside.
That is what CBAC is for. Allow all sessions that are "seen" by the inspection also if there is an restrictive ACL on the outside.
08-06-2016 04:03 AM
Thank you Karsten,
I am not sure I understand you suggestion so I have included the changes you have suggested below. Could you confirm this is as you have suggested or if not show how you are suggesting.
I will then apply and test.
ip inspect name fw tcp router-traffic
ip inspect name fw udp router-traffic
ip inspect name fw icmp router-traffic
interface Vlan1
description Internal LAN
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
interface Dialer3
description ADSL Connection
ip address 165.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip access-group OutsideIn in
ip inspect fw out
Extended IP access list OutsideIn
5 permit tcp any host 165.1.1.1 eq 22 (49995 matches)
10 permit tcp any host 165.1.1.1 eq smtp (226 matches)
20 permit tcp any host 165.1.1.1 eq whois
30 permit tcp any host 165.1.1.1 eq www (4 matches)
31 permit tcp host 210.1.1.1 165.1.1.1 0.0.0.255 (49609 matches)
Thank you for your response - I appreciate your assistance
08-06-2016 04:12 AM
I will then apply and test.
Yes, that's all you need for CBAC.
08-06-2016 06:15 AM
Thank you Karsten!
I have made the changes and tested and it appears to be working as required.
The addition of router-traffic to the IP Inspect seems to have made the difference as I believe I had actually tried all the other permutations of cbac and reflective acl.
I will have to read up on the difference of omitting/adding the router-traffic has made the difference.
Thank you for your assistance - it is very much appreciated!!
08-06-2016 04:22 AM
Hello
If you wish to keep th CBAC then:
no IP extended access list OutsideOut
IP access-list extented OutsideIn
no 50
no 60
interface Dialer3
no ip access-group OutsideOut out
ip inspect fw out
ip access-group OutsideIn in
Basic CBAC - Would really have an acl that denies all initiated traffic from outside ( see below) but in keeping with your existing inbound acl your are allowing some outside initiated traffic in.
Personally I would only allow certain traffic from outside, such has routing protocol or bootp for dynamic addressing
IP access-list extended OutsideIn
deny ip any any log
ip inspect name fw tcp
ip inspect name fw udp
ip inspect name fw icmp
iinterface Dialer3
ip inspect fw out
ip access-group OutsideIn in
res
Paul
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: