Question

Cisco Router CBAC & PPTP

Asked by: MrPrince

Hi,

Im having problems configuring CBAC on a Cisco 871 router -  12.4(22)T. Im getting traffic in and out of the box but certain protocols dont seem to work, specifically PPTP and ICMP. Below are the pertinent parts of my config:

ip inspect name Global_IE tcp
ip inspect name Global_IE udp
ip inspect name Global_IE icmp
ip inspect name Global_IE pptp
!
interface Vlan10
ip address 172.16.0.1 255.255.255.252
 ip access-group Vestibule_Outbound in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0
 switchport access vlan 10
 duplex full
 speed 100
!
interface FastEthernet4
 ip address dhcp
 ip access-group Inbound in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip ips Global_IPS in
 ip ips Global_IPS out
 ip inspect Global_IE out
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip access-list extended Vestibule_Outbound
 permit ip any any
 deny   ip any any log
!
ip access-list extended Inbound
remark Permit DHCP
 permit udp any eq bootps any eq bootpc
deny   ip any any log
!


My understanding of the above configuration is that:

1. PPTP traffic  is allowed by the Vestibule_Outbound ACL inbound to VLAN 10
2. The traffic leaves the fa4 interface since no Outbound ACL is applied.
3. CBAC opens a temporary ACE at the top of the Inbound ACL to allow the return traffic (GRE)

If I let SDM do the configuration I end up with an ACE of permit tcp any any eq gre on the Inbound ACL.  The same for ICMP & NTP. Although this works doesnt this simply open up a hole in the network? Isnt CBAC supposed to allow return traffic dynamically rather than having a specific ACE? Im having the same problem with ICMP too.

Can anyone explain the processing rules that CBAC uses? Ive read conflicting statements that CBAC:

1. First checks the traffic against an ACL then inspects it, if configured to, and finally amends the corresponding ACL to allow the return traffic.

2. Inspects the traffic first then amends the corresponding ACL to allow the return traffic.

Im confused. What is the correct way to accomplish this?

Thanks.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-07-01 at 16:32:56ID24538222
Tags

Cisco Router

,

CBAC

,

PPTP

,

ACL

,

Firewall

Topic

Network Routers

Participating Experts
1
Points
150
Comments
6

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Help with Cisco Router ACL, and NAT
    Hi, I would like some help, pointers on ACL, and NAT. I have two static public IP addresses, and would like to use NAT between public and private address. Current Router is a 2514, will change over to a 2621XM in a couple of months. I would like IP x.x.x.17 inbo...
  2. A little Cisco Guidance on IP NAT and PPTP
    I'm trying to setup our Cisco 1700 router to forward Microsoft VPN connection attempts to our VPN server. I want to be able to let any Windows machine from any IP address (dynamic) log onto our network. If I type the following commands, will this open up our router to let PPT...
  3. Cisco 2600 ACL/NAT for PPTP and IPSEC
    Greetings, A. I have a Cisco 2610 Router providing firewall and gateway functionality for internal LAN clients. I'm hosting a Microsoft Windows 2003 Server providing PPTP VPN behind this router. I need to know what ACLs and or NAT settings to use to allow customers using Mic...
  4. Cisco 2610 - NAT/ACL's for PPTP & IPSEC
    Greetings, A. I have a Cisco 2610 Router providing firewall and gateway functionality for internal LAN clients. I'm hosting a Microsoft Windows 2003 Server providing PPTP VPN behind this router. I need to know what ACLs and or NAT settings to use to allow customers using Mic...
  5. Cisco VLAN Trunk , ACL/FIREWALL
    Hi Experts, I have the following network setup: Cisco 877: - VLAN 1: Private network, 192.168.1.0 - VLAN 2: Public network, 192.168.2.0, with helper ip to 192.168.1.10 for DHCP. - Fastethernetport1: connected to Switch in TRUNK mode. - NAT to vlan 1 and vlan 2. - Conn...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: asavenerPosted on 2009-07-01 at 22:11:55ID: 24760587

That's the way it is supposed to work, but CBAC has problems with connectionless protocols like UDP, and GRE (in my experience).

Allowing GRE in is not much of a security risk, because by definition, it is an encapsulation protocol.  Something on the inside of your network has to decapsulate it.

I would use the GRE keyword, though:  permit gre any any

Similarly, I've had to add ACL entries similar to:

deny icmp any any redirect
deny icmp any any timestamp-request
deny icmp any any echo
permit icmp any any

(Alternately, you can add permit statements for echo-reply, time exceeded, administratively prohibited, etc.)

 

by: asavenerPosted on 2009-07-01 at 22:13:28ID: 24760594

I'll also note that PPTP first uses a TCP connection on port 1723 and then the GRE encapsulation.  The "ip inspect name <name> pptp" might focus primarily on the TCP session.

 

by: asavenerPosted on 2009-07-01 at 22:14:35ID: 24760599

Final note: I"ve had to put explicit access list entries in for DNS and SNTP as well.

 

by: MrPrincePosted on 2009-07-01 at 22:35:20ID: 24760691

Oh Ok, so it's working as well as to be expected then. In the end i added the ACE for the GRE tunnel, i know the IP is genuine so it's not a massive security risk. Can you recommend any good protocol timeouts by any chance? I don't know the best practises on those.

Cheers.

 

by: asavenerPosted on 2009-07-02 at 05:48:36ID: 24762679

Generally, I've used the defaults unless I had a particular reason to adjust them.  (For example, some clients have applications that they leave open but inactive, and the idle timeout will cause them to have to reconnect; in those cases I've increased the idle timeout.  In another case, they were getting flooded by SYN packets; I reduced the half-open timeout as well as using the half-open connection limits.)

 

by: MrPrincePosted on 2009-07-02 at 15:38:30ID: 24768444

Thanks.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...