05-02-2014 12:05 PM
Hi, I know this question is probably very common but I am still having issues with understanding ACL's
I've read so much documentation but its not helping me understand or apply the knowledge to my situation.
basically I have configured a new CISCO 891 router with a number of VPN's connected and a couple of inbound rules to allow rdp and sql traffic to 2 servers on my LAN. to do this I have created ACL 130 and matched it to the inbound direction of the WAN interface. the confusion is that I would really like the last default rule to be a "deny any any" rule for security. but no matter what I do, even if I create a specific permit rule for web traffic and DNS if I change the last rule to "deny any to any" all my internet connectivity stops working apart from my traffic over the VPN I cannot browse or resolve or ping anything on the internet.
here is my config if anyone can advise me how to ensure my Cisco891 firewall is secure I would be grateful. (PS I've given up trying to use the ZBF as this created even more issues and now only using CLI)
Building configuration...
Current configuration : 9409 bytes
!
! Last configuration change at 20:53:43 PCTime Mon Apr 28 2014 by admin
version 15.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname LBHCIS891DATA1
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 51200 errors
logging console critical
enable secret 4 MHpke6/RnYLNL/fAD5EKDxml.aj8Sr4IJfubMQjIoB2
enable password 7 08331D1F074D031A39
!
aaa new-model
!
!
aaa authentication login local_auth local
aaa authentication enable default enable
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone PCTime 0 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-3955790181
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3955790181
revocation-check none
rsakeypair TP-self-signed-3955790181
!
crypto pki trustpoint TP-self-signed-3612796534
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3612796534
revocation-check none
rsakeypair TP-self-signed-3612796534
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
crypto pki trustpoint TP-self-signed-1280197465
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1280197465
revocation-check none
rsakeypair TP-self-signed-1280197465
!
!
crypto pki certificate chain TP-self-signed-3955790181
crypto pki certificate chain TP-self-signed-3612796534
crypto pki certificate chain test_trustpoint_config_created_for_sdm
crypto pki certificate chain TP-self-signed-1280197465
vlan ifdescr detail
no ip source-route
no ip gratuitous-arps
ip cef
!
!
!
!
!
!
!
!
no ip bootp server
ip domain name <Internal domain name>
ip name-server 8.8.8.8
ip name-server 172.24.4.13
ip name-server 172.24.16.13
ip name-server 172.24.16.15
ip inspect log drop-pkt
login block-for 5 attempts 10 within 5
no ipv6 cef
!
parameter-map type inspect global
log dropped-packets enable
max-incomplete low 18000
max-incomplete high 20000
spoofed-acker off
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
license udi pid CISCO891-K9 sn FCZ1813C2XL
!
!
username admin privilege 15 secret 4 MHpke6/RnYLNL/fAD5EKDxml.aj8Sr4IJfubMQjIoB2
!
redundancy
!
!
!
!
!
ip tcp synwait-time 10
no ip ftp passive
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
crypto logging ezvpn
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp key ******************* address (PEER IP)
crypto isakmp keepalive 10 5
crypto isakmp aggressive-mode disable
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ADAPTVPN esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile ADAPT_IPSEC_POLICY
set transform-set ADAPTVPN
!
!
!
crypto map ADAPTVPN 200 ipsec-isakmp
set peer <<VPN PEER IP>
set transform-set ADAPTVPN
match address VPNSITE
!
!
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
description VLAN 1 Trunk port
switchport mode trunk
no ip address
!
interface FastEthernet1
description VLan 1 Access port
no ip address
!
interface FastEthernet2
description Vlan 1 Access port
no ip address
!
interface FastEthernet3
description Vlan 1 Access port
no ip address
!
interface FastEthernet4
description Vlan 1 Access port
no ip address
!
interface FastEthernet5
description Vlan 1 Access port
no ip address
!
interface FastEthernet6
description VLAN 50 access port
switchport access vlan 50
no ip address
!
interface FastEthernet7
description VLAN50 trunk port
switchport access vlan 50
switchport trunk native vlan 50
switchport mode trunk
no ip address
!
interface FastEthernet8
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
description WAN 1 interface for LBHETH-WAN$$ETH-WAN$
ip address <Wan int Public IP add> 255.255.255.192
ip access-group 130 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map ADAPTVPN
!
interface Vlan1
description $FW_INSIDE$
ip address 172.24.16.241 255.255.252.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan50
description $FW_INSIDE$
ip address 172.17.116.241 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Async1
no ip address
encapsulation slip
shutdown
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-top-talkers
top 10
sort-by bytes
cache-timeout 10000
!
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0 overload
ip nat inside source static tcp 172.24.16.19 1433 <Wan int Public IP add> 1433 extendable
ip nat inside source static tcp 172.24.16.25 3389 <Wan int Public IP add> 3389 extendable
ip route 0.0.0.0 0.0.0.0 <Wan int Gateway>
!
ip access-list extended VPNSITE
remark CCP_ACL Category=5
remark access all sites
permit ip 172.24.16.0 0.0.3.255 172.24.0.0 0.0.255.255
remark voip
permit ip 172.24.16.0 0.0.3.255 172.17.0.0 0.0.255.255
remark webmail
permit ip 172.24.16.0 0.0.3.255 192.168.102.0 0.0.0.255
remark a cloud
permit ip 172.24.16.0 0.0.3.255 192.168.25.0 0.0.0.255
remark a cloud test
permit ip 172.24.16.0 0.0.3.255 192.168.26.0 0.0.0.255
remark a cloud public
permit ip 172.24.16.0 0.0.3.255 192.168.27.0 0.0.0.255
remark voip
permit ip 172.17.116.0 0.0.0.255 172.17.0.0 0.0.255.255
permit ip 172.17.116.0 0.0.0.255 172.24.0.0 0.0.255.255
!
ip sla auto discovery
logging trap debugging
logging facility local2
logging host 172.24.4.51
access-list 102 remark CCP_ACL Category=2
access-list 102 remark acloud public
access-list 102 deny ip 172.24.16.0 0.0.3.255 192.168.27.0 0.0.0.255
access-list 102 remark acloud test
access-list 102 deny ip 172.24.16.0 0.0.3.255 192.168.26.0 0.0.0.255
access-list 102 remark acloud
access-list 102 deny ip 172.24.16.0 0.0.3.255 192.168.25.0 0.0.0.255
access-list 102 remark oa.accessnet.co.uk
access-list 102 deny ip 172.24.16.0 0.0.3.255 192.168.102.0 0.0.0.255
access-list 102 remark voip
access-list 102 deny ip 172.24.16.0 0.0.3.255 172.17.0.0 0.0.255.255
access-list 102 remark access all sites
access-list 102 deny ip 172.24.16.0 0.0.3.255 172.24.0.0 0.0.255.255
access-list 102 remark voip
access-list 102 deny ip 172.17.116.0 0.0.0.255 172.17.0.0 0.0.255.255
access-list 102 remark access all sites
access-list 102 deny ip 172.17.116.0 0.0.0.255 172.24.0.0 0.0.255.255
access-list 102 permit ip 172.24.16.0 0.0.3.255 any
access-list 102 permit ip 172.17.116.0 0.0.0.255 any
access-list 130 remark EXT_ACL
access-list 130 permit ip 172.24.0.0 0.0.255.255 172.17.116.0 0.0.0.255
access-list 130 remark voip
access-list 130 permit ip 172.17.0.0 0.0.255.255 172.17.116.0 0.0.0.255
access-list 130 remark acloud public
access-list 130 permit ip 192.168.27.0 0.0.0.255 172.24.16.0 0.0.3.255
access-list 130 remark acloud test
access-list 130 permit ip 192.168.26.0 0.0.0.255 172.24.16.0 0.0.3.255
access-list 130 remark acloud
access-list 130 permit ip 192.168.25.0 0.0.0.255 172.24.16.0 0.0.3.255
access-list 130 remark oa.accessnet.co.uk
access-list 130 permit ip 192.168.102.0 0.0.0.255 172.24.16.0 0.0.3.255
access-list 130 remark voip
access-list 130 permit ip 172.17.0.0 0.0.255.255 172.24.16.0 0.0.3.255
access-list 130 remark access all sites
access-list 130 permit ip 172.24.0.0 0.0.255.255 172.24.16.0 0.0.3.255
access-list 130 permit udp host <VPN PEER IP> host <Wan int Public IP add> eq non500-isakmp
access-list 130 permit udp host <VPN PEER IP> host <Wan int Public IP add> eq isakmp
access-list 130 permit esp host <VPN PEER IP> host <Wan int Public IP add>
access-list 130 permit ahp host <VPN PEER IP> host <Wan int Public IP add>
access-list 130 permit tcp host <a webserver> host <Wan int Public IP add> eq 1433 log
access-list 130 permit tcp any host <Wan int Public IP add> eq 3389 log
access-list 130 permit ip host <a Public Ip I need> host <Wan int Public IP add>
access-list 130 permit tcp any host <Wan int Public IP add> eq www
access-list 130 permit tcp any host <Wan int Public IP add> eq 443
access-list 130 permit tcp any host <Wan int Public IP add> eq domain
access-list 130 deny tcp any host <Wan int Public IP add> eq 1433
access-list 130 permit icmp any host <Wan int Public IP add>
access-list 130 permit ip any any
no cdp run
!
route-map SDM_RMAP_1 permit 1
match ip address 102
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
login authentication local_auth
transport output telnet
line 1
modem InOut
speed 115200
flowcontrol hardware
line aux 0
login authentication local_auth
transport output telnet
line vty 0 4
exec-timeout 30 0
privilege level 15
password 7 09554B1A
transport preferred ssh
transport input ssh
transport output ssh
!
scheduler interval 500
ntp update-calendar
ntp server 0.uk.pool.ntp.org
!
end
05-03-2014 01:38 AM
You need a firewall-config that allows the return-traffic:
ip inspect name FW tcp router-traffic
ip inspect name FW udp router-traffic
ip inspect name FW icmp router-traffic
ip inspect name FW ftp
int gig0
ip inspect FW out
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: