?
Solved

Help with CBAC Config

Posted on 2005-03-13
23
Medium Priority
?
930 Views
Last Modified: 2008-01-09
I cannot connect remotely to any Windows 2000 Terminal Servers. However, unfortunately I am not familiar with Cisco routers.  The router was installed and configured by our ISP.

I don't know anything about how CBAC works, but the only way that I can access those terminal services from the outside is by removing the IP-Inspect command. However, when I do this I am also effectively interrupting Internect access for all the servers and workstations on the LAN!
Any help is really appreciated.
Thanks,
+++++++++++++++++++++++++++++++++++++++++++++

Current configuration : 4281 bytes
!
! Last configuration change at 22:15:15 UTC Sat Oct 2 2004
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging

!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
ip cef
!
!
ip inspect dns-timeout 30
ip inspect name myfw cuseeme
ip inspect name myfw rcmd
ip inspect name myfw udp
ip inspect name myfw tcp
ip inspect name myfw tftp
ip inspect name myfw smtp
ip inspect name myfw realaudio
ip inspect name myfw h323
ip inspect name myfw ftp
ip inspect name myfw http
ip inspect name myfw streamworks
ip inspect name myfw vdolive
ip inspect name myfw sqlnet
!
ip audit notify log
ip audit po max-events 100
ip name-server 65.b.c.179
ip name-server 65.b.c.198
no ftp-server write-enable
!
!
!
interface FastEthernet0
 description << Local Lan Network >>
 ip address 172.16.1.1 255.255.255.0
 ip access-group 102 in
 ip nat inside
 speed auto
 no cdp enable
!
interface Serial0
 no ip address
 encapsulation frame-relay IETF
 no fair-queue
 service-module t1 timeslots 1-24
 frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point

 ip address 65.b.c.50 255.255.255.252
 ip access-group 100 in
 ip nat outside
 ip inspect myfw out
 frame-relay interface-dlci 16
!
ip nat pool SBC a.b.c.97 a.b.c.98 netmask 255.255.255.248
ip nat inside source list 1 pool SBC overload
ip nat inside source static 172.16.1.3 65.b.c.100 extendable
ip nat inside source static 172.16.1.7 65.b.c.99 extendable
ip nat inside source static 172.16.1.11 65.b.c.101 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 65.b.c.49
no ip http server
no ip http secure-server
!
access-list 1 permit 172.16.1.0 0.0.0.255
access-list 100 permit ipinip any any
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any packet-too-big
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any traceroute
access-list 100 permit icmp any any unreachable
access-list 100 permit udp any any eq ntp
access-list 100 permit tcp any any eq www
access-list 100 permit udp any any eq domain
access-list 100 permit tcp any any eq smtp
access-list 100 permit tcp any any eq pop3
access-list 100 permit tcp any any eq 7070
access-list 100 permit tcp any any eq 443
access-list 100 permit tcp any any eq telnet
access-list 100 permit gre any any
access-list 100 permit tcp any any eq 8025
access-list 100 permit udp any any eq 25
access-list 100 permit tcp any any eq 3389
access-list 100 permit udp any any eq 80
access-list 100 permit tcp any host 172.16.1.3 eq 3389
access-list 102 deny   tcp any any eq 137
access-list 102 deny   tcp any any eq 138
access-list 102 deny   tcp any any eq 139
access-list 102 deny   tcp any any eq finger
access-list 102 remark block all netbios to the internet
access-list 102 permit ip any any

!
line con 0
line aux 0
line vty 0 4
 password 7 0832414D360D001B1C0E18
 login
!
!
end
+++++++++++++++++++++++++++++++++++++++++++++
0
Comment
Question by:manthax
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 11
23 Comments
 
LVL 3

Expert Comment

by:j3ggs
ID: 13534694
Hi  manthax,

It's interesting that you have to remove the command for t/s to work. I say this because, from the outside comming in, it does not look like your router is inspecting any traffic through it's f/w engine.

You should have "ip inspect myfw in"  on your ser0.1 interface. This would make CBAC inspect the traffic.

The way CBAC works, is any traffic flowing in to or out of an interface gets checked by the ACL on the interface first, if it is permitted by the ACL, then CBAC will inspect it PROVIDING there is an inspect rule there as well (and it matches an inspect rule definition, your inspects cuseeme,rcmd....TCP....UDP - so in fact it is generically inspecting all TCP/UDP traffic).

So if I am on the outside of your network (as I am!), I could connect to any of the ports defined in your ACL 100 to any host on your network (as there is no layer 3 info), however as you are using NAT, I can only do it to the 3 hosts you have specified.

So, that would mean it could be the return traffic going from your server to the outside world that is being dropped by your inspection rule? I have pasted this config on to my router, and it seems to work fine (though it looks like you have a 1700 and I am using a 2600 - though there should be NO difference in the way it works).... There is definatly no CBAC session created if I do a telnet to my device "behind" the firewall. To make CBAC inspect my incomming telnet traffic I have to add "ip inspect myfw in" to the serial interface.... To confirm this, I do a "show ip inspect session" and voila I have the session there (as apposed to pre-command when there is no session). You should have lots of sessions if you have people browsing, so you would need to pinpoint the exact session by:

sho ip inspect sessions  | inc 172.16.1.3

Sorry, I know this has not answered your question, you can try to add the inspect rule inbound as well to see if this makes any difference. As I say, mine works fine with telnet (have you tried any other services - i.e. is there a web server that works perhaps?).

Also, just a note, your netbios isn't blocked outbound as most netbios stuff is UDP not TCP, those ports in ACL 102 should have the UDP equivilents as well.

regards

j3ggs





0
 

Author Comment

by:manthax
ID: 13536773
Hello j3ggs ,

Thanks for your reply.  I have tried the "IP inspect myfw in" on the serial interface as you suggested, but I couldn't connect to the TS servers and also lost Internet connection on the LAN.  I've also removed the access-lists from both interfaces but still nothing :-(

All I am trying to do is to open those Terminal Servers so that I can administer remotely.  Also my boss wants me to install and configure a Citrix server as well, so I need to have those ports open as well. The only services running right now are for RDP. I don't have a web server or FTP. I also did a sho ip inspect sessions | inc 172.16.1.3 and all it shows are entries for other ports not related to RDP.

Any more ideas?

Your help is really appreciated!


0
 

Author Comment

by:manthax
ID: 13537088
Hello j3ggs,
Please disregard my previous comment. I guess just like my end-users I wasn;t patient enough to see that withou the access-lists and withou the Ip inpspect I can connet remotely to the Terminal servers and the Internet connection doesn't break :-)

Now, what do I do from here?
I guess I have to reconfigure my access-lists? IP inspection?
Thanks again!
0
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

 
LVL 3

Expert Comment

by:j3ggs
ID: 13538707
Hi Manthax,

OK bare with me, I am going to test this out again..... We may need to go through a troubleshooting process (i.e. get you to do some show commands/look at the logs on the router).

regards

j3ggs

0
 
LVL 3

Expert Comment

by:j3ggs
ID: 13539955
Hi manthax,

OK I am confused with this one a little. For some reason, my config works everytime, the only difference between my and your setup is that I am telneting on port 3389, but this should make no odds.

However, I have tested the following scenario, telneting to a host on the outside world, and then comming back in again from my outside host on port 3389. If I add "ip inspect myfw out" to the interface, look what happens to the inspection sessions:

BEFORE

Router#show ip inspect sessions
Established Sessions
 Session 816C407C (172.16.1.3:1275)=>(10.0.0.2:23) tcp SIS_OPEN


AFTER

Established Sessions
 Session 816C41EC (10.0.0.2:23106)=>(172.16.1.3:3389) tcp SIS_OPEN
 Session 816C407C (172.16.1.3:1274)=>(10.0.0.2:23) tcp SIS_OPEN

Here we can see an additional session from my outside (10.0.0.0/24 network) to my inside host on port 3389. Whilst both scenarios work for (i.e. with and without the command on the inside interface), it is only when I add it in when the router actually inspects the traffic.

Perhaps this is the problem?

I am not 100%, but I would give it a go and see what happens.

Best regards

j3ggs

ps I am off to bed now, as I live in the uk!
0
 
LVL 3

Expert Comment

by:j3ggs
ID: 13539977
Also here is a link for some Cisco Docs... Unfortunatly I cant see an example for two interface nat that has CBAC on both sides - Cisco seem to think this is a rare occasion!. I do have a book with an example though.....

http://www.cisco.com/en/US/products/sw/secursw/ps1018/prod_configuration_examples_list.html

regards

j3ggs
0
 

Author Comment

by:manthax
ID: 13544613
Hello,
  Do I need an acess-list on the inside interface? In or Out?
Do I need to inspect traffic leaving the network? Where do I start making this configuration work?
Thank you so much for taking the time to help me figure this out.
0
 
LVL 3

Expert Comment

by:j3ggs
ID: 13544759
Hi manthax,

You already have the acl on the inside interface. To get mine inspecting though i put the command "ip inspect myfw out" onto my inside interface. (i.e. your FastEthernet0)


regards

j3ggs
0
 

Author Comment

by:manthax
ID: 13545168
Hi j3ggs,
Before I start testing this. I'd like to hear your opinion about this.

It seems to me that access-list 100 is permitting a lot of traffic into my network that I probably don't want. So, I created the following list and I am thinking about applying it to the Outside interface- In:

access-list 111 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 111 deny   ip 172.16.0.0 0.15.255.255 any log
access-list 111 deny   ip 10.0.0.0 0.255.255.255 any log
access-list 111 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 111 deny   ip 255.0.0.0 0.255.255.255 any log
access-list 111 deny   ip 224.0.0.0 0.255.255.255 any log
access-list 111 permit icmp any any net-unreachable
access-list 111 permit icmp any any host-unreachable
access-list 111 permit icmp any any port-unreachable
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any time-exceeded
access-list 111 permit tcp any any eq 3389
access-list 111 permit tcp any any eq 5631
access-list 111 permit tcp any any eq 5632
access-list 111 permit udp any any eq 5631
access-list 111 permit udp any any eq 5632
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 1731
access-list 111 permit gre any any
access-list 111 permit udp any any eq domain
access-list 111 permit udp any any eq ntp
access-list 111 deny   ip any any log

Will this access-list make my LAN more secure?
Do you see any conflicts that my prevent me from accomplis what I want? ( I am not clear about where to place the deny statements)
Do I still need an access-list for my inside interface? In? Out?
Do I need to modify access-list 102 on the inside interface to match access-list 111?
Access-list 102 seems to me like is missing something?
Do I need to  place ip inspect on both interfaces? In? Out?
I am sorry that I am questioning so much, but as you can see I am very confused about this whole thing!

Thanks again,
0
 

Author Comment

by:manthax
ID: 13545270
Hello again:

I removed the ip inspect from the outside interface and placed it on the inside interface "myfw"out,a nd this is what I get:

 Session 81B8B7F4 (172.16.1.48:1163)=>(209.67.78.3:80) http SIS_OPEN
 Session 81B85264 (172.16.1.29:1588)=>(209.67.78.3:80) http SIS_OPEN
 Session 81B8AB74 (172.16.1.43:1234)=>(64.12.25.176:5190) tcp SIS_OPEN
 Session 81B84454 (172.16.1.63:2291)=>(207.68.172.234:80) http SIS_OPEN
 Session 81B83E14 (172.16.1.63:2295)=>(209.245.56.190:80) http SIS_OPEN
 Session 81B86844 (172.16.1.48:1162)=>(209.67.78.3:80) http SIS_OPEN
 Session 81B86B64 (172.16.1.48:1146)=>(209.67.78.3:80) http SIS_OPEN
 Session 81B898B4 (172.16.1.63:2296)=>(209.245.56.190:80) http SIS_OPEN
 Session 81B84F44 (172.16.1.48:1144)=>(209.67.78.3:80) http SIS_OPEN
 Session 81B84DB4 (172.16.1.26:1556)=>(63.236.29.136:8081) tcp SIS_OPEN
 Session 81B8B664 (172.16.1.26:1460)=>(64.202.98.51:6350) tcp SIS_OPEN
 Session 81B8D5A4 (172.16.1.43:1235)=>(64.12.165.107:5190) tcp SIS_OPEN
 Session 81B83FA4 (172.16.1.61:4304)=>(64.12.28.60:5190) tcp SIS_OPEN
 Session 81B89A44 (172.16.1.29:1488)=>(209.67.78.3:80) http SIS_OPEN
 Session 81B84774 (172.16.1.29:1593)=>(209.67.78.3:80) http SIS_OPEN
 Session 81B8A534 (172.16.1.21:4858)=>(65.84.241.222:1723) tcp SIS_OPEN
 Session 81B85A34 (172.16.1.48:1101)=>(207.46.107.17:1863) tcp SIS_OPEN
 Session 81B89D64 (172.16.1.61:4302)=>(152.163.15.18:5190) tcp SIS_OPEN
 Session 81B8B984 (172.16.1.38:3141)=>(204.60.219.167:80) http SIS_OPEN
 Session 81B8D734 (172.16.1.64:1960)=>(63.236.29.136:8081) tcp SIS_OPEN
 Session 81B89724 (172.16.1.48:1191)=>(63.236.29.136:8081) tcp SIS_OPEN
 Session 81B871A4 (172.16.1.43:1754)=>(63.236.29.136:8081) tcp SIS_OPEN
 Session 81B89EF4 (172.16.1.29:1583)=>(209.67.78.3:80) http SIS_OPEN
 Session 81B8BE34 (172.16.1.43:1231)=>(207.46.106.147:1863) tcp SIS_OPEN

(no RDP Ports!)

Regards,
0
 
LVL 3

Expert Comment

by:j3ggs
ID: 13545738
OK before I comment on the access-list modification, let me just respond to your last post. As you are "hosting" services on your inside network, you need to inspect bothe ways. Therefore you will need the original inspect statement on your outside interface, AND the additional one I have suggested. This will therefore inspect sessions initiated from inside the network going out, and inspect sessions comming into your network from the outside..... so you will need both.
0
 
LVL 3

Expert Comment

by:j3ggs
ID: 13545895
right in terms of your ACL's,

Anti-spoofing. Good!
ICMP's I need to look up to make sure they are OK
then you have RDP, PC Anywhere uses TCP 5631, and UDP 5632 (so remove the others - thats if it is PC Anywhere!), the next look like H.323 and PPTP?, GRE, DNS lookups and NTP.

OK Do you use NTP external, if not remove it. Do you use both GRE and PPTP?

Do you not receive SMTP email (i.e. do you use exchange etc?)
Do you host any web servers?

I can post a list of things that I would recommend to help lock down your router a little more, I need to dig a few things out though so bare with me....

You also need to look at your outbound ACL's as well, as they should really be blocking more (for instance netbios udp as previously mentioned).....

Anyway, try the other post i.e. put both ip inspects on and see how that goes. and i'll come back with the other things

regards

j3ggs
0
 

Author Comment

by:manthax
ID: 13546107
Ok. I am going to start the Ip inspect on both interfaces. In the meantime, how does this  outbound access-list 102 look?

access-list 102 deny ip 192.168.0.0 0.0.255.255 any log
access-list 102 deny ip 172.16.0.0 0.15.255.255 any log
access-list 102 deny ip 10.0.0.0 0.255.255.255 any log
access-list 102 deny ip any 192.168.0.0 0.0.255.255 any log
access-list 102 deny ip any 172.16.0.0 0.15.255.255 any log
access-list 102 deny ip any 10.0.0.0 0.255.255.255 any log
access-list 102 deny udp any any eq netbios-ns
access-list 102 deny udp any any eq netbios-dgm
access-list 102 deny udp any any eq netbios-ss
access-list 102 permit ip any
access-list 102 deny ip any any
Should I deny or permit 3389 traffic on this interface?
Any other?

Thanks!

0
 

Author Comment

by:manthax
ID: 13546241
Hello again!

-I use external NTP for time synch with my Domain controllers.
-GRE and PPTP were there by default. In the future I'd like to implement a VPN solution as well so I think I need both?  Not sure about IP Sec?
-At the present time we do not have any Web servers.  We receive our email using a POP3  third-party email provider.

In the near future, I'd be implementing VPN, and maybe FTP solutions as well, but for now all I want is open ports for Citrix (not sure which they are!) and Terminal Services.

Thanks,
John C.

0
 
LVL 3

Expert Comment

by:j3ggs
ID: 13546486
OK, for your ACL on the inside you will need to remove the 172.16.0.0 statement as that is what you are using (the first one, not the second), the acl is hit before nat so that line will just block everything going out. Everything else looks better though. I personally only allow certain apps (for instance) - instead of your permit ip any any:

www
ssl
pop3
smtp
dns (just to the correct DNS server)
ftp
ftp-data

etc...

In terms of RDP, CBAC (when properly configured) should dynamicly open the return port. For instance, your RDP client will connect to TCP3389, but will come from a source port of say 24000, the return traffic will therefore be sent back to tcp port 24000, which is where CBAC steps in to open that port. So as the SYN from your client comes in, and is accepted by your outside acl, CBAC permits the return path.

Citrix uses TCP 1494 and UDP 1604 (for browser traffic). Depending on config that is.... Some can use SSL etc... So these ports will need to be opened on your outside interface acl.

You probably wont use GRE or PPTP for your VPN, most things nowa-days use IPSEC and IKE, which are IP Protocol 50 and UDP 500 respectivly. Besides if you are not using them now, get rid of the lines - my philosphy if it aint used, chuck it out (yeh right! dont think my lady thinks like that!)...ehem.

Remember for your citrix you will probably need another static NAT, and looking at your masks you are running out of external IP's..... You could do static port nat (or PAT) I suppose!

I would recommend reading the autosecure doc on Cisco, this give's a good understanding as to what can be vulnerable on a router, as you are running ios 12.3 I think your router has the script, I have never run it personally, and if you choose to, I would backup all your configs and be prepared to do some troubleshooting if it goes wrong!

The white paper is at:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_white_paper09186a00801dbf61.shtml

I dont want to lul you in to a sense that if you do the above with ACL's then your router/network will be secure. I am reading Cisco's securing Cisco IOS networks and it's got some good things in there about router security, VPN's, CBAC, and lots of other things that you might want to find out about...

regards

j3ggs
0
 

Author Comment

by:manthax
ID: 13546768

Thanks for that link is very informative.
OK. I've tried it!
I placed the access-list 102-Out (I've removed the first line as you suggested) and Ip inspect on the internal interface (Out).
I did not loose the Internet connection, but I could not TS still.


"dns (just to the correct DNS server)"

When you say the correct DNS server, is that our ISP's DNS server or my internal DNS?
Sorry for the dumb questions!
0
 

Author Comment

by:manthax
ID: 13546790
How about access-list 1 permit 172.16.1.0 0.0.0.255
Do I still need that one?
I am not sure how many access-list I should have on that router!
Thanks!
0
 
LVL 3

Expert Comment

by:j3ggs
ID: 13546913
OK With regards the TS problem.... We need to see if it is a CBAC or ACL issue..

On your current external interface acl, do you have a deny ip any any log at the end of it? If not can you add it in?

Then we need to telnet (or console) to the router, and look at the log when you are trying to connect (if telnetting, use "terminal monitor" command under the "#" mode (priv exec mode). This will show us logs in real time.... See if anything is blocking when you try to RDP. If we get no drops then we need to look elsewhere, but the ACL I think is the first place to start.

With regards DNS, do your clients go outbound for DNS or do they hit your internal DNS server? If they hit the inbound, and your DNS server is a relay, then you can just permit your DNS server out for DNS.

With regards ACL 1, this is used by your NAT rule (its a logic test, not actually an ACL blocking anything).... Look at your nat statement.....ip nat inside source list 1 pool SBC overload

What this is doing is port address translating all of your clients in the ACL 1, to the SBC pool (i.e. the two addresses you have in the pool).

regards

j3ggs

PS there are never any dumb questions.... thats how we all learn!
0
 

Author Comment

by:manthax
ID: 13547206
Hello j3ggs,
FYI:
I had this question open previously. See this link: http://www.experts-exchange.com/Hardware/Routers/Q_21153161.html

The person that was working with me showed me how to do IP  debugging, and he came to the conclusion that it was the Ip inspect command that was causing the packet to be dropped.
Here are the IP debuggin details:
***********************************
Router#debug ip packet 111 detail
IP packet debugging is on (detailed) for access list 111
1d22h: IP: s=a.b.c.219 (Serial0.1), d=172.16.1.3 (FastEthernet0), g=172.16.1.3, len 48, forward
1d22h:     TCP src=1251, dst=3389, seq=423673827, ack=0, win=65535 SYN
1d22h: IP: s=a.b.c.100 (FastEthernet0), d=a.b.c.219 (Serial0.1), len 48, dropped by inspect
1d22h:     TCP src=3389, dst=1251, seq=3697422952, ack=423673828, win=65535 ACK SYN
1d22h: IP: s=a.b.c.219 (Serial0.1), d=172.16.1.3 (FastEthernet0), g=172.16.1.3, len 48, forward
1d22h:     TCP src=1251, dst=3389, seq=423673827, ack=0, win=65535 SYN
1d22h: IP: s=a.b.c.100 (FastEthernet0), d=a.b.c.219 (Serial0.1), len 48, dropped by inspect
1d22h:     TCP src=3389, dst=1251, seq=3697422952, ack=423673828, win=65535 ACK SYN
1d22h: IP: s=a.b.c.219 (Serial0.1), d=172.16.1.3 (FastEthernet0), g=172.16.1.3, len 48, forward
1d22h:     TCP src=1251, dst=3389, seq=423673827, ack=0, win=65535 SYN
1d22h: IP: s=a.b.c.100 (FastEthernet0), d=a.b.c.219 (Serial0.1), len 48, dropped by inspect
1d22h:     TCP src=3389, dst=1251, seq=3697422952, ack=423673828, win=65535 ACK SYN
***********************************
Here are his comments:
We also see your problem in the ip packet debug though. Note the lines that say "dropped by inspect." So the IP inspect function is indeed the problem. I think the problem has to do with the combination of NAT and that. The packets are being dropped because with NAT, the outbound packets have a different source address than the destination address of the inbound ones. Since they don't match, IP inspect drops the outbound ones. What I don't yet understand is why, since the packets are being dropped outbound even though you don't have an outbound access list.

I am sorry for posting the same question twice, but the person that was helping me never got back to me, and I am desperate need to have this resolved!
Here is the input from terminal monitor:
#terminal monitor

02:45:47: %SEC-6-IPACCESSLOGP: list 111 denied tcp 80.205.46.2(2330) -> 69.37.247.114(139), 1 packet
02:45:52: %SEC-6-IPACCESSLOGP: list 111 denied tcp 80.205.46.2(2330) -> 69.37.247.114(139), 1 packet
02:45:57: %SEC-6-IPACCESSLOGP: list 111 denied tcp 69.37.175.67(1275) -> 69.37.247.122(445), 1 packe
t
02:45:58: %SEC-6-IPACCESSLOGP: list 111 denied tcp 218.9.76.245(7000) -> 69.37.247.119(4106), 1 pack
et
02:46:02: %SEC-6-IPACCESSLOGP: list 111 denied tcp 69.37.247.92(1221) -> 69.37.247.122(135), 1 packe
t
02:46:05: %SEC-6-IPACCESSLOGP: list 111 denied tcp 69.157.33.214(3289) -> 69.37.247.103(135), 1 pack
et
02:46:06: %SEC-6-IPACCESSLOGP: list 111 denied tcp 69.37.175.67(1275) -> 69.37.247.122(445), 1 packe
t
02:46:10: %SEC-6-IPACCESSLOGP: list 111 denied tcp 69.157.33.214(3289) -> 69.37.247.103(135), 1 pack
et
02:46:10: %SEC-6-IPACCESSLOGP: list 111 denied tcp 69.145.49.124(4539) -> 69.37.247.109(135), 2 pack
ets
02:46:12: %SEC-6-IPACCESSLOGDP: list 111 denied icmp 151.164.62.39 -> 69.177.9.50 (8/0), 1 packet
02:46:37: %SEC-6-IPACCESSLOGP: list 111 denied tcp 69.158.158.3(3887) -> 69.37.247.104(135), 1 packe
t
02:46:40: %SEC-6-IPACCESSLOGP: list 111 denied tcp 69.158.158.3(3887) -> 69.37.247.104(135), 1 packe
t
02:46:45: %SEC-6-IPACCESSLOGP: list 111 denied tcp 69.37.247.92(1301) -> 69.37.247.126(135), 1 packe
t
02:46:46: %SEC-6-IPACCESSLOGP: list 111 denied tcp 69.37.175.67(2058) -> 69.37.247.110(445), 1 packe
t
02:46:50: %SEC-6-IPACCESSLOGP: list 111 denied tcp 69.37.175.67(2058) -> 69.37.247.110(445), 1 packe
t
02:47:07: %SEC-6-IPACCESSLOGDP: list 111 denied icmp 151.164.62.41 -> 69.177.9.50 (8/0), 1 packet
02:47:25: %SEC-6-IPACCESSLOGP: list 111 denied tcp 69.37.247.92(1152) -> 69.37.247.115(135), 1 packe
t
02:47:26: %SEC-6-IPACCESSLOGP: list 111 denied tcp 69.156.63.238(3917) -> 69.37.247.99(135), 1 packe
t
02:47:28: %SEC-6-IPACCESSLOGP: list 111 denied tcp 69.159.71.118(3266) -> 69.37.247.96(135), 1 packe
t
02:47:30: %SEC-6-IPACCESSLOGP: list 111 denied tcp 69.156.63.238(3917) -> 69.37.247.99(135), 1 packe
t
02:47:32: %SEC-6-IPACCESSLOGP: list 111 denied tcp 69.159.71.118(3266) -> 69.37.247.96(135), 1 packe
t
02:47:53: %SEC-6-IPACCESSLOGP: list 111 denied tcp 69.92.176.42(1477) -> 69.37.247.125(135), 1 packe
t
02:47:59: %SEC-6-IPACCESSLOGP: list 111 denied tcp 61.234.250.206(80) -> 69.37.247.106(6499), 1 pack
et
02:48:12: %SEC-6-IPACCESSLOGP: list 111 denied tcp 69.92.176.42(1477) -> 69.37.247.125(135), 1 packe
t
02:48:14: %SEC-6-IPACCESSLOGP: list 111 denied tcp 69.37.247.92(1677) -> 69.37.247.121(135), 1 packe
t
02:48:27: %SEC-6-IPACCESSLOGP: list 111 denied tcp 69.37.247.92(2816) -> 69.37.247.116(135), 1 packe
t
02:48:53: %SEC-6-IPACCESSLOGP: list 111 denied tcp 69.37.247.92(1346) -> 69.37.247.98(135), 1 packet
02:48:54: %SEC-6-IPACCESSLOGP: list 111 denied tcp 69.37.247.92(1467) -> 69.37.247.97(135), 1 packet
02:49:00: %SEC-6-IPACCESSLOGP: list 111 denied tcp 69.37.247.92(2042) -> 69.37.247.127(135), 1 packe
02:49:15: %SEC-6-IPACCESSLOGDP: list 111 denied icmp 151.164.62.39 -> 69.177.9.50 (8/0), 1 packe

Thanks,
John C
0
 
LVL 3

Accepted Solution

by:
j3ggs earned 600 total points
ID: 13547819
Just read through some of those comments.... This is a strange one, as this config does work, as I have it working on a router sitting right next to me!

From the Text (in my book) we are supposed to configure the following:

on our outside interface:
An access-list permitting correct ports and denying others
an ip inspect rule inbound

on our inside interface
An access-list permitting correct ports and denying others
an ip inspect rule inbound


my router has the following:

interface Ethernet0/0
 description << Local Lan Network >>
 ip address 172.16.1.1 255.255.255.0
 ip access-group 110 in
 ip nat inside
 ip inspect myfw in
 half-duplex
 no cdp enable
end

interface Ethernet0/1
 ip address 10.0.0.1 255.255.255.0
 ip access-group 111 in
 ip nat outside
 ip inspect myfw in
 half-duplex
end

Established Sessions
 Session 816C435C (172.16.1.3:3584)=>(10.0.0.2:23) tcp SIS_OPEN
 Session 816C41EC (10.65.1.1:11012)=>(172.16.1.3:3389) tcp SIS_OPEN

Pro Inside global         Inside local          Outside local         Outside global
--- 10.0.0.99             172.16.1.7            ---                   ---
--- 10.0.0.100            172.16.1.3            ---                   ---
--- 10.0.0.101            172.16.1.11           ---                   ---
tcp 10.0.0.100:3584       172.16.1.3:3584       10.0.0.2:23           10.0.0.2:23
tcp 10.0.0.100:3389       172.16.1.3:3389       10.65.1.1:11012       10.65.1.1:11012
tcp 10.0.0.100:23         172.16.1.3:23         10.0.0.2:11002        10.0.0.2:11002
tcp 10.0.0.100:23         172.16.1.3:23         10.0.0.2:11003        10.0.0.2:11003

Extended IP access list 110
     permit tcp host 172.16.1.3 eq 3389 host 10.65.1.1 eq 11012 (4 matches)
    10 permit tcp 172.16.1.0 0.0.0.255 any eq telnet (2756 matches)
    20 deny ip any any (238 matches)
    30 deny ip any any log

Extended IP access list 111
     permit tcp host 10.0.0.2 eq telnet host 10.0.0.100 eq 3584 (18 matches)
    10 permit tcp any host 10.0.0.100 eq telnet
    20 permit tcp any host 10.0.0.100 eq 3389 (13 matches)
    30 deny ip any any log



IT WORKS!!!!

Traffic is being inspected both ways (i telneted out to a device 10.0.0.2), and from another device (10.65.1.1) I telneted back in bound to 10.0.0.100).

can you perhaps do a show run of what you have now.... I have lost where we are with the config!

many thanks

j3ggs
0
 

Author Comment

by:manthax
ID: 13548278
Hello again!

This is the current router config. Please note that I am not 100% sure about access-list 102 for the inside interface therefore I 've decide to remove it so we don't have another variable in there.
Maybe you could give me a sample of an access-list for the inside interface!. Also my workstations hit my internal DNS servers both DNS servers are configured to forward requests to the ISP' DNS servers.  Is this correct?

Access-list 102 permit tcp any host 172.16.1.3 eq domain
Access-list 102 permit udp any host 172.16.1.3 eq domain
Access-list 102 permit tcp any host 172.16.1.5 eq domain
Access-list 102 permit udp any host 172.16.1.5 eq domain

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Current configuration : 3989 bytes
!
! Last configuration change at 19:38:24 UTC Tue Mar 15 2005
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Noise
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable password
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
ip cef
!
!
ip inspect dns-timeout 30
ip inspect name myfw cuseeme
ip inspect name myfw rcmd
ip inspect name myfw udp
ip inspect name myfw tcp
ip inspect name myfw tftp
ip inspect name myfw smtp
ip inspect name myfw realaudio
ip inspect name myfw h323
ip inspect name myfw ftp
ip inspect name myfw http
ip inspect name myfw streamworks
ip inspect name myfw vdolive
ip inspect name myfw sqlnet
!
ip audit notify log
ip audit po max-events 100
ip name-server 204.60.203.179
ip name-server 66.10.48.198
no ftp-server write-enable
!
!
interface FastEthernet0
 description << Local Lan Network >>
 ip address 172.16.1.1 255.255.255.0
 ip nat inside
 speed auto
 no cdp enable
!
interface Serial0
 no ip address
 encapsulation frame-relay IETF
 no fair-queue
 service-module t1 timeslots 1-24
 frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
 description << Link to SBCIS ckt HCGM 003125 T1 >>
 ip address 69.X.X.50 255.255.255.252
 ip access-group 111 in
 ip nat outside
 ip inspect myfw out
 frame-relay interface-dlci 16
!
ip nat pool SBC 69.X.X.97 69.X.X.98 netmask 255.255.255.248
ip nat inside source list 1 pool SBC overload
ip nat inside source static tcp 172.16.1.3 3389 69.X.X.100 3389 extendable
ip nat inside source static tcp 172.16.1.7 3389 69.X.X.99 3389 extendable
ip nat inside source static tcp 172.16.1.11 3389 69.X.X.101 3389 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 69.X.X.49
no ip http server
no ip http secure-server
!
access-list 1 permit 172.16.1.0 0.0.0.255
access-list 111 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 111 deny   ip 172.16.0.0 0.15.255.255 any log
access-list 111 deny   ip 10.0.0.0 0.255.255.255 any log
access-list 111 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 111 deny   ip 255.0.0.0 0.255.255.255 any log
access-list 111 deny   ip 224.0.0.0 0.255.255.255 any log
access-list 111 permit icmp any any net-unreachable
access-list 111 permit icmp any any host-unreachable
access-list 111 permit icmp any any port-unreachable
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any time-exceeded
access-list 111 permit tcp any any eq 3389
access-list 111 permit tcp any any eq 5631
access-list 111 permit tcp any any eq 5632
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 1731
access-list 111 permit gre any any
access-list 111 permit udp any any eq domain
access-list 111 permit udp any any eq ntp
access-list 111 deny   ip any any log


!
line con 0
line aux 0
line vty 0 4
 password
 login
!
ntp clock-period 17179967
ntp server 207.55.146.54
ntp server 128.10.252.10
!
end
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

Thanks a million for your time!
0
 
LVL 3

Expert Comment

by:j3ggs
ID: 13548765
Hi John,

Do you want to take this offline.. I have plenty of time as I am not currently working at the moment, and happen to be studying for my SECUR exam (thats a part of the Cisco CCSP - security professional), so all this is really good for me.

However I guess you are in the states, and I am not (i am in the UK). If you do want to take offline then leave me your email address - however I will have to contact you tomorrow as it is my anniversary this evening and I think my girl is stressing as I am in front of this machine!

If not for now I would try and do what I have done on my config. i.e. you MUST have an acl for the inside interface even if it permits everything.

then try the ip inspect statements on each interface as I have (dont forget to take the other inspect statement off) - you can copy my interface inspect statements (my inside is the 172 address).

regards

j3ggs

So to confirm, create an acl with permit ip any any, then copy my inspect statements, making sure there are no others.
0
 

Author Comment

by:manthax
ID: 13549132
Hello j3ggs,

Please feel free to email me at test@nctgroupinc.com. I will setup the acess-list for the inside interface today, and will keep in touch.
Happy aniversary man! Mine was last Sunday (6 years)

Cheers!
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question