Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
463
Views
0
Helpful
1
Replies

problems with external ACL rules

JMaartenW
Level 1
Level 1

‎05-02-2014 12:05 PM

Hi, I know this question is probably very common but I am still having issues with understanding ACL's

I've  read so much documentation but its not helping me understand or apply the knowledge to my situation.

 

basically I have configured a new CISCO 891 router with a number of VPN's connected and a couple of inbound rules to allow rdp and sql traffic to 2 servers on my LAN. to do this I have created ACL 130 and matched it to the inbound  direction of the WAN interface. the confusion is that I would really like the last default rule to be a "deny any any" rule for security. but no matter what I do, even if I create a specific permit rule for web traffic and DNS if I change the last rule to "deny any to any" all my internet connectivity stops working apart from my traffic over the VPN I cannot browse or resolve or ping anything on the internet.

 

here is my config if anyone can advise me how to ensure my Cisco891 firewall is secure I would be grateful. (PS I've given up trying to use the ZBF as this created even more issues and now only using CLI)

Building configuration...

Current configuration : 9409 bytes
!
! Last configuration change at 20:53:43 PCTime Mon Apr 28 2014 by admin
version 15.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname LBHCIS891DATA1
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 51200 errors
logging console critical
enable secret 4 MHpke6/RnYLNL/fAD5EKDxml.aj8Sr4IJfubMQjIoB2
enable password 7 08331D1F074D031A39
!
aaa new-model
!
!
aaa authentication login local_auth local
aaa authentication enable default enable
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone PCTime 0 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-3955790181
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3955790181
 revocation-check none
 rsakeypair TP-self-signed-3955790181
!
crypto pki trustpoint TP-self-signed-3612796534
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3612796534
 revocation-check none
 rsakeypair TP-self-signed-3612796534
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
 subject-name e=sdmtest@sdmtest.com
 revocation-check crl
!
crypto pki trustpoint TP-self-signed-1280197465
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1280197465
 revocation-check none
 rsakeypair TP-self-signed-1280197465
!
!
crypto pki certificate chain TP-self-signed-3955790181
crypto pki certificate chain TP-self-signed-3612796534
crypto pki certificate chain test_trustpoint_config_created_for_sdm
crypto pki certificate chain TP-self-signed-1280197465
vlan ifdescr detail
no ip source-route
no ip gratuitous-arps
ip cef
!
!
!
!


!
!
!
!
no ip bootp server
ip domain name <Internal domain name>
ip name-server 8.8.8.8
ip name-server 172.24.4.13
ip name-server 172.24.16.13
ip name-server 172.24.16.15
ip inspect log drop-pkt
login block-for 5 attempts 10 within 5
no ipv6 cef
!
parameter-map type inspect global
 log dropped-packets enable
 max-incomplete low 18000
 max-incomplete high 20000
 spoofed-acker off
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
license udi pid CISCO891-K9 sn FCZ1813C2XL
!
!
username admin privilege 15 secret 4 MHpke6/RnYLNL/fAD5EKDxml.aj8Sr4IJfubMQjIoB2
!
redundancy
!
!
!
!
!
ip tcp synwait-time 10
no ip ftp passive
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
crypto logging ezvpn
!
crypto isakmp policy 20
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key ******************* address (PEER IP)
crypto isakmp keepalive 10 5
crypto isakmp aggressive-mode disable
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ADAPTVPN esp-3des esp-sha-hmac
 mode tunnel
!
crypto ipsec profile ADAPT_IPSEC_POLICY
 set transform-set ADAPTVPN
!
!
!
crypto map ADAPTVPN 200 ipsec-isakmp
 set peer <<VPN PEER IP>
 set transform-set ADAPTVPN
 match address VPNSITE
!
!
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
 description VLAN 1 Trunk port
 switchport mode trunk
 no ip address
!
interface FastEthernet1
 description VLan 1 Access port
 no ip address
!
interface FastEthernet2
 description Vlan 1 Access port
 no ip address
!
interface FastEthernet3
 description Vlan 1 Access port
 no ip address
!
interface FastEthernet4
 description Vlan 1 Access port
 no ip address
!
interface FastEthernet5
 description Vlan 1 Access port
 no ip address
!
interface FastEthernet6
 description VLAN 50 access port
 switchport access vlan 50
 no ip address
!
interface FastEthernet7
 description VLAN50 trunk port
 switchport access vlan 50
 switchport trunk native vlan 50
 switchport mode trunk
 no ip address
!
interface FastEthernet8
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0
 description WAN 1 interface for LBHETH-WAN$$ETH-WAN$
 ip address <Wan int Public IP add> 255.255.255.192
 ip access-group 130 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map ADAPTVPN
!
interface Vlan1
 description $FW_INSIDE$
 ip address 172.24.16.241 255.255.252.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Vlan50
 description $FW_INSIDE$
 ip address 172.17.116.241 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Async1
 no ip address
 encapsulation slip
 shutdown
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-top-talkers
 top 10
 sort-by bytes
 cache-timeout 10000
!
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0 overload
ip nat inside source static tcp 172.24.16.19 1433 <Wan int Public IP add> 1433 extendable
ip nat inside source static tcp 172.24.16.25 3389 <Wan int Public IP add> 3389 extendable
ip route 0.0.0.0 0.0.0.0 <Wan int Gateway>
!
ip access-list extended VPNSITE
 remark CCP_ACL Category=5
 remark access all sites
 permit ip 172.24.16.0 0.0.3.255 172.24.0.0 0.0.255.255
 remark voip
 permit ip 172.24.16.0 0.0.3.255 172.17.0.0 0.0.255.255
 remark webmail
 permit ip 172.24.16.0 0.0.3.255 192.168.102.0 0.0.0.255
 remark a cloud
 permit ip 172.24.16.0 0.0.3.255 192.168.25.0 0.0.0.255
 remark a cloud test
 permit ip 172.24.16.0 0.0.3.255 192.168.26.0 0.0.0.255
 remark a cloud public
 permit ip 172.24.16.0 0.0.3.255 192.168.27.0 0.0.0.255
 remark voip
 permit ip 172.17.116.0 0.0.0.255 172.17.0.0 0.0.255.255
 permit ip 172.17.116.0 0.0.0.255 172.24.0.0 0.0.255.255
!
ip sla auto discovery
logging trap debugging
logging facility local2
logging host 172.24.4.51
access-list 102 remark CCP_ACL Category=2
access-list 102 remark acloud public
access-list 102 deny   ip 172.24.16.0 0.0.3.255 192.168.27.0 0.0.0.255
access-list 102 remark acloud test
access-list 102 deny   ip 172.24.16.0 0.0.3.255 192.168.26.0 0.0.0.255
access-list 102 remark acloud
access-list 102 deny   ip 172.24.16.0 0.0.3.255 192.168.25.0 0.0.0.255
access-list 102 remark oa.accessnet.co.uk
access-list 102 deny   ip 172.24.16.0 0.0.3.255 192.168.102.0 0.0.0.255
access-list 102 remark voip
access-list 102 deny   ip 172.24.16.0 0.0.3.255 172.17.0.0 0.0.255.255
access-list 102 remark access all sites
access-list 102 deny   ip 172.24.16.0 0.0.3.255 172.24.0.0 0.0.255.255
access-list 102 remark voip
access-list 102 deny   ip 172.17.116.0 0.0.0.255 172.17.0.0 0.0.255.255
access-list 102 remark access all sites
access-list 102 deny   ip 172.17.116.0 0.0.0.255 172.24.0.0 0.0.255.255
access-list 102 permit ip 172.24.16.0 0.0.3.255 any
access-list 102 permit ip 172.17.116.0 0.0.0.255 any
access-list 130 remark EXT_ACL
access-list 130 permit ip 172.24.0.0 0.0.255.255 172.17.116.0 0.0.0.255
access-list 130 remark voip
access-list 130 permit ip 172.17.0.0 0.0.255.255 172.17.116.0 0.0.0.255
access-list 130 remark acloud public
access-list 130 permit ip 192.168.27.0 0.0.0.255 172.24.16.0 0.0.3.255
access-list 130 remark acloud test
access-list 130 permit ip 192.168.26.0 0.0.0.255 172.24.16.0 0.0.3.255
access-list 130 remark acloud
access-list 130 permit ip 192.168.25.0 0.0.0.255 172.24.16.0 0.0.3.255
access-list 130 remark oa.accessnet.co.uk
access-list 130 permit ip 192.168.102.0 0.0.0.255 172.24.16.0 0.0.3.255
access-list 130 remark voip
access-list 130 permit ip 172.17.0.0 0.0.255.255 172.24.16.0 0.0.3.255
access-list 130 remark access all sites
access-list 130 permit ip 172.24.0.0 0.0.255.255 172.24.16.0 0.0.3.255
access-list 130 permit udp host <VPN PEER IP> host <Wan int Public IP add> eq non500-isakmp
access-list 130 permit udp host <VPN PEER IP> host <Wan int Public IP add> eq isakmp
access-list 130 permit esp host <VPN PEER IP> host <Wan int Public IP add>
access-list 130 permit ahp host <VPN PEER IP> host <Wan int Public IP add>
access-list 130 permit tcp host <a webserver> host <Wan int Public IP add> eq 1433 log
access-list 130 permit tcp any host <Wan int Public IP add> eq 3389 log
access-list 130 permit ip host <a Public Ip I need> host <Wan int Public IP add>
access-list 130 permit tcp any host <Wan int Public IP add> eq www
access-list 130 permit tcp any host <Wan int Public IP add> eq 443
access-list 130 permit tcp any host <Wan int Public IP add> eq domain
access-list 130 deny   tcp any host <Wan int Public IP add> eq 1433
access-list 130 permit icmp any host <Wan int Public IP add>
access-list 130 permit ip any any
no cdp run
!
route-map SDM_RMAP_1 permit 1
 match ip address 102
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
 login authentication local_auth
 transport output telnet
line 1
 modem InOut
 speed 115200
 flowcontrol hardware
line aux 0
 login authentication local_auth
 transport output telnet
line vty 0 4
 exec-timeout 30 0
 privilege level 15
 password 7 09554B1A
 transport preferred ssh
 transport input ssh
 transport output ssh
!
scheduler interval 500
ntp update-calendar
ntp server 0.uk.pool.ntp.org
!
end

Labels:
0 Helpful
1 Reply 1

Karsten Iwen
VIP
VIP

‎05-03-2014 01:38 AM

You need a firewall-config that allows the return-traffic:

 

ip inspect name FW tcp router-traffic
ip inspect name FW udp router-traffic
ip inspect name FW icmp router-traffic
ip inspect name FW ftp
int gig0
  ip inspect FW out

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents