Solved

CBAC newbie

Posted on 2006-11-01
20
669 Views
Last Modified: 2008-01-09
Hello,

Client has a win2K server running a php+mysql db published on IIS which works perfect
with netgear dsl router.  Every time I try to introduce a cisco 837, I run into
2 problems.  

1) Https Internetbanking from client pcs works up until the point a payment is made.
They can login, pull up accounts, employees etc, amounts to transfer etc.
(I ran ethereal and the entire conversation is (*high port e.g. 2247) > 443 and back)
It's SSLv3 traffic, but there appears to be a cypher change when the submit
button is hit for a transaction payment in the ethereal logs.

2)  External http users can login to main form on webpage for the php+mysql db but cannot access the forms which do the important stuff.
ie the pages that pull up the database stuff!

I suspect CBAC is to blame because encryption is happening which is preventing it following
the session properly.  The problem is that I don't really understand CBAC and how to implement it
properly.   I could disable it I guess, but might as well leave the netgear there if that's the case.

I understand that CBAC allows sessions initiated on the inside to create openings for return
traffic in the firewall.  So If user A launches a http session on e.g. tcp port 2247 to the outside on 80
then returning traffic with sip 80 and dip 2247 will be allowed back in.

So, I setup firewall on outside interface blocking everything but incoming http and a few other things I need like remote
 access and smtp from my office's STATIC ips.

Then I activate generic tcp and udp inspection (the sdm creates one called DEFAULT100 which has tcp,udp,realaudio,smtp etc)
 by applying the DEFAULT100 inspection rule to my ATM0.1 outbound interface.  Users can now surf etc. but Internet banking now fails
at the point mentioned earlier.  I send the output to a syslog server and see sessions starting and stopping, but it's now my basic lack
of understanding that becomes the problem.  Without really understanding CBAC I am not comfortable examing the logs.

Bollocks! to that I say to myself, let's fix the access to the webserver database.  
I have STATIC NAT translations setup for ports 80 and 25 to the mail/webserver and
have the ports permitted through the firewall but cannot telnet on 25 from my office or access the
webserver from any outside IP.

If I apply the DEFAULT100 inspection rule to my ATM0.1 Inbound interface I can now connect
on 25 from my office to the exchange server, and login to the webserver database  from anywhere.

I don't know if I should define separate/unique inspection rules for the incoming and outbound section of the
interface, tried but they both basically say same thing anyways, i.e. to inspect tcp and udp traffic.

This is the bit I don't understand, if CBAC is looking at deeper layers to establish if traffic is part
of a valid session, why inspect traffic that starts from the outside UNTRUSTED network?
I'm allowing any outgoing traffic in the firewall while I try to resolve the issue.  It seems dangerous/illogical
to me to allow some untrusted IP to determine the source and destination ports
for inspection.  CBAC/Inspect rules on inbound for the Outside Interface makes no sense to me.
Yet, I cannot connect at all unless I do it.  The problem then becomes, that I cannot load any of the
important web pages,  I can login to system but the useful stuff doesn't work.  The thing that
drives me crazy is that there is one IP on the outside that can open the useful pages
properly, the IP for my office which is allowed only 3389 (remote desktop) and SMTP access.
I tried giving full access through the firewall to other IPs but they could not load the pages.
The only thing different about my office IP from the cisco's point of view is that it inititiates
the odd smtp 25 connection out to it when sending email.

I was expecting this to be a 10 line question.

Dean














0
Comment
Question by:pip_gazebo
  • 9
  • 9
20 Comments
 
LVL 12

Expert Comment

by:pjtemplin
ID: 17857457
Show us the CBAC ACL.  On a rough read of what you've said above, there's possibly no NAT translation for tcp/443 or perhaps no CBAC opening for tcp/443.
0
 
LVL 2

Author Comment

by:pip_gazebo
ID: 17863005
I should have to hand in a day or two and will definitely post asap (had to leave remote site in a rush and only had time to ensure
I left old router properly connected, feel foolish for not having taken config away) but am curious about your suspicion.  I thought if tcp and udp inspection was enabled then 443 would necessarily be opened by CBAC on the return leg as it is tcp traffic. no?

Thanks for your help,much appreciated.



0
 
LVL 12

Expert Comment

by:pjtemplin
ID: 17863104
CBAC is easy to get spun around, and without seeing the relevant interface config and the ACL it's futile to try to troubleshoot.  Throw in quirks courtesy of SDM and you're in a vague cloudy world.
0
 
LVL 2

Author Comment

by:pip_gazebo
ID: 17874635
Here's the config.  Cheers.


Building configuration...

Current configuration : 22378 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service udp-small-servers
service tcp-small-servers
service sequence-numbers
!
hostname myname
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
logging buffered 51200 warnings
enable secret 5 $1$JIig$MIpuw/vYUwAvGYWH2CyT01
!
username [myname] privilege 15 secret 5 $1$A3xm$A/8WzHpWzN2NnthwM./uG.
username [myname2]privilege 15 secret 5 $1$9IzF$Sf4zYWfkA8s49nZs5DNtm/
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa session-id common
ip subnet-zero
ip gratuitous-arps
!
!
ip finger
ip tcp synwait-time 10
ip domain name yourdomain.com
ip name-server [dns server ip 1]
ip name-server [dns srver ip 2]
ip cef
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 rcmd
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
!
!
!
no crypto isakmp enable
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 3
 encr 3des
 group 2
!
crypto isakmp client configuration group [xxx]
 key [xxx]
 pool SDM_POOL_1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP-3DES-SHA
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
!
interface Ethernet0
 description $ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$$ETH-LAN$$FW_INSIDE$
 ip address 192.168.1.201 255.255.255.0
 ip access-group 105 in
 ip mask-reply
 no ip redirects
 no ip unreachables
 ip directed-broadcast
 no ip proxy-arp
 ip nat inside
 ip route-cache flow
 ip tcp adjust-mss 1452
 no cdp enable
 hold-queue 100 out
!
interface ATM0
 no ip address
 ip mask-reply
 no ip redirects
 no ip unreachables
 ip directed-broadcast
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 ip mask-reply
 ip directed-broadcast
 pvc 8/35
  oam-pvc manage
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address [mypublicip] 255.255.255.0
 ip access-group 109 in
 ip mask-reply
 ip directed-broadcast
 ip mtu 1452
 ip nat outside
 ip inspect DEFAULT100 in
 ip inspect DEFAULT100 out
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname [myloginname]
 ppp chap password 7 06041D2E4D4A0B180B1343
 ppp pap sent-username [myisp] password 7 0111140B5A0F040E2F481F
!
ip local pool SDM_POOL_1 192.168.77.1 192.168.77.100
ip nat pool mypool 192.168.99.1 192.168.99.254 netmask 255.255.255.0
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.200 20 interface Dialer0 20
ip nat inside source static tcp 192.168.1.200 21 interface Dialer0 21
ip nat inside source static tcp 192.168.1.200 80 interface Dialer0 80
ip nat inside source static tcp 192.168.1.200 25 interface Dialer0 25
ip nat inside source static tcp 192.168.1.200 3306 interface Dialer0 3306
ip nat inside source static tcp 192.168.1.200 3389 interface Dialer0 3389
ip classless
ip route 0.0.0.0 0.0.0.0 [mynexthop] permanent
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
!
logging 192.168.1.226
access-list 1 remark INSIDE_IF=Ethernet0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip [oldip].0 0.0.0.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip host 192.168.77.1 any
access-list 101 permit ip host 192.168.77.2 any
access-list 101 permit ip host 192.168.77.3 any
access-list 101 permit ip host 192.168.77.4 any
access-list 101 permit ip host 192.168.77.5 any
access-list 101 permit ip host 192.168.77.6 any
access-list 101 permit ip host 192.168.77.7 any
access-list 101 permit ip host 192.168.77.8 any
access-list 101 permit ip host 192.168.77.9 any
access-list 101 permit ip host 192.168.77.10 any
access-list 101 permit ip host 192.168.77.11 any
access-list 101 permit ip host 192.168.77.12 any
access-list 101 permit ip host 192.168.77.13 any
access-list 101 permit ip host 192.168.77.14 any
access-list 101 permit ip host 192.168.77.15 any
access-list 101 permit ip host 192.168.77.16 any
access-list 101 permit ip host 192.168.77.17 any
access-list 101 permit ip host 192.168.77.18 any
access-list 101 permit ip host 192.168.77.19 any
access-list 101 permit ip host 192.168.77.20 any
access-list 101 permit ip host 192.168.77.21 any
access-list 101 permit ip host 192.168.77.22 any
access-list 101 permit ip host 192.168.77.23 any
access-list 101 permit ip host 192.168.77.24 any
access-list 101 permit ip host 192.168.77.25 any
access-list 101 permit ip host 192.168.77.26 any
access-list 101 permit ip host 192.168.77.27 any
access-list 101 permit ip host 192.168.77.28 any
access-list 101 permit ip host 192.168.77.29 any
access-list 101 permit ip host 192.168.77.30 any
access-list 101 permit ip host 192.168.77.31 any
access-list 101 permit ip host 192.168.77.32 any
access-list 101 permit ip host 192.168.77.33 any
access-list 101 permit ip host 192.168.77.34 any
access-list 101 permit ip host 192.168.77.35 any
access-list 101 permit ip host 192.168.77.36 any
access-list 101 permit ip host 192.168.77.37 any
access-list 101 permit ip host 192.168.77.38 any
access-list 101 permit ip host 192.168.77.39 any
access-list 101 permit ip host 192.168.77.40 any
access-list 101 permit ip host 192.168.77.41 any
access-list 101 permit ip host 192.168.77.42 any
access-list 101 permit ip host 192.168.77.43 any
access-list 101 permit ip host 192.168.77.44 any
access-list 101 permit ip host 192.168.77.45 any
access-list 101 permit ip host 192.168.77.46 any
access-list 101 permit ip host 192.168.77.47 any
access-list 101 permit ip host 192.168.77.48 any
access-list 101 permit ip host 192.168.77.49 any
access-list 101 permit ip host 192.168.77.50 any
access-list 101 permit ip host 192.168.77.51 any
access-list 101 permit ip host 192.168.77.52 any
access-list 101 permit ip host 192.168.77.53 any
access-list 101 permit ip host 192.168.77.54 any
access-list 101 permit ip host 192.168.77.55 any
access-list 101 permit ip host 192.168.77.56 any
access-list 101 permit ip host 192.168.77.57 any
access-list 101 permit ip host 192.168.77.58 any
access-list 101 permit ip host 192.168.77.59 any
access-list 101 permit ip host 192.168.77.60 any
access-list 101 permit ip host 192.168.77.61 any
access-list 101 permit ip host 192.168.77.62 any
access-list 101 permit ip host 192.168.77.63 any
access-list 101 permit ip host 192.168.77.64 any
access-list 101 permit ip host 192.168.77.65 any
access-list 101 permit ip host 192.168.77.66 any
access-list 101 permit ip host 192.168.77.67 any
access-list 101 permit ip host 192.168.77.68 any
access-list 101 permit ip host 192.168.77.69 any
access-list 101 permit ip host 192.168.77.70 any
access-list 101 permit ip host 192.168.77.71 any
access-list 101 permit ip host 192.168.77.72 any
access-list 101 permit ip host 192.168.77.73 any
access-list 101 permit ip host 192.168.77.74 any
access-list 101 permit ip host 192.168.77.75 any
access-list 101 permit ip host 192.168.77.76 any
access-list 101 permit ip host 192.168.77.77 any
access-list 101 permit ip host 192.168.77.78 any
access-list 101 permit ip host 192.168.77.79 any
access-list 101 permit ip host 192.168.77.80 any
access-list 101 permit ip host 192.168.77.81 any
access-list 101 permit ip host 192.168.77.82 any
access-list 101 permit ip host 192.168.77.83 any
access-list 101 permit ip host 192.168.77.84 any
access-list 101 permit ip host 192.168.77.85 any
access-list 101 permit ip host 192.168.77.86 any
access-list 101 permit ip host 192.168.77.87 any
access-list 101 permit ip host 192.168.77.88 any
access-list 101 permit ip host 192.168.77.89 any
access-list 101 permit ip host 192.168.77.90 any
access-list 101 permit ip host 192.168.77.91 any
access-list 101 permit ip host 192.168.77.92 any
access-list 101 permit ip host 192.168.77.93 any
access-list 101 permit ip host 192.168.77.94 any
access-list 101 permit ip host 192.168.77.95 any
access-list 101 permit ip host 192.168.77.96 any
access-list 101 permit ip host 192.168.77.97 any
access-list 101 permit ip host 192.168.77.98 any
access-list 101 permit ip host 192.168.77.99 any
access-list 101 permit ip host 192.168.77.100 any
access-list 101 permit udp any host [oldip] eq non500-isakmp
access-list 101 permit udp any host [oldip] eq isakmp
access-list 101 permit esp any host [oldip]
access-list 101 permit ahp any host [oldip]
access-list 101 remark allow http
access-list 101 permit tcp any host [oldip] eq www log
access-list 101 remark allow dns
access-list 101 permit tcp any host [oldip] eq domain log
access-list 101 remark allow 20-21 ftp
access-list 101 permit tcp any host [oldip] range ftp-data ftp log
access-list 101 remark allow 443-445
access-list 101 permit tcp any host [oldip] range 443 445 log
access-list 101 remark allow sql
access-list 101 deny   tcp any host [oldip] eq 1433 log
access-list 101 remark allow vnc
access-list 101 permit tcp any host [oldip] eq 5500 log
access-list 101 permit tcp host [myofficeip] host [oldip] eq 3389 log
access-list 101 deny   ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any host [oldip] echo-reply
access-list 101 permit icmp any host [oldip] time-exceeded
access-list 101 permit icmp any host [oldip] unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
access-list 102 remark SDM_ACL Category=2
access-list 102 deny   ip any host 192.168.77.1
access-list 102 deny   ip any host 192.168.77.2
access-list 102 deny   ip any host 192.168.77.3
access-list 102 deny   ip any host 192.168.77.4
access-list 102 deny   ip any host 192.168.77.5
access-list 102 deny   ip any host 192.168.77.6
access-list 102 deny   ip any host 192.168.77.7
access-list 102 deny   ip any host 192.168.77.8
access-list 102 deny   ip any host 192.168.77.9
access-list 102 deny   ip any host 192.168.77.10
access-list 102 deny   ip any host 192.168.77.11
access-list 102 deny   ip any host 192.168.77.12
access-list 102 deny   ip any host 192.168.77.13
access-list 102 deny   ip any host 192.168.77.14
access-list 102 deny   ip any host 192.168.77.15
access-list 102 deny   ip any host 192.168.77.16
access-list 102 deny   ip any host 192.168.77.17
access-list 102 deny   ip any host 192.168.77.18
access-list 102 deny   ip any host 192.168.77.19
access-list 102 deny   ip any host 192.168.77.20
access-list 102 deny   ip any host 192.168.77.21
access-list 102 deny   ip any host 192.168.77.22
access-list 102 deny   ip any host 192.168.77.23
access-list 102 deny   ip any host 192.168.77.24
access-list 102 deny   ip any host 192.168.77.25
access-list 102 deny   ip any host 192.168.77.26
access-list 102 deny   ip any host 192.168.77.27
access-list 102 deny   ip any host 192.168.77.28
access-list 102 deny   ip any host 192.168.77.29
access-list 102 deny   ip any host 192.168.77.30
access-list 102 deny   ip any host 192.168.77.31
access-list 102 deny   ip any host 192.168.77.32
access-list 102 deny   ip any host 192.168.77.33
access-list 102 deny   ip any host 192.168.77.34
access-list 102 deny   ip any host 192.168.77.35
access-list 102 deny   ip any host 192.168.77.36
access-list 102 deny   ip any host 192.168.77.37
access-list 102 deny   ip any host 192.168.77.38
access-list 102 deny   ip any host 192.168.77.39
access-list 102 deny   ip any host 192.168.77.40
access-list 102 deny   ip any host 192.168.77.41
access-list 102 deny   ip any host 192.168.77.42
access-list 102 deny   ip any host 192.168.77.43
access-list 102 deny   ip any host 192.168.77.44
access-list 102 deny   ip any host 192.168.77.45
access-list 102 deny   ip any host 192.168.77.46
access-list 102 deny   ip any host 192.168.77.47
access-list 102 deny   ip any host 192.168.77.48
access-list 102 deny   ip any host 192.168.77.49
access-list 102 deny   ip any host 192.168.77.50
access-list 102 deny   ip any host 192.168.77.51
access-list 102 deny   ip any host 192.168.77.52
access-list 102 deny   ip any host 192.168.77.53
access-list 102 deny   ip any host 192.168.77.54
access-list 102 deny   ip any host 192.168.77.55
access-list 102 deny   ip any host 192.168.77.56
access-list 102 deny   ip any host 192.168.77.57
access-list 102 deny   ip any host 192.168.77.58
access-list 102 deny   ip any host 192.168.77.59
access-list 102 deny   ip any host 192.168.77.60
access-list 102 deny   ip any host 192.168.77.61
access-list 102 deny   ip any host 192.168.77.62
access-list 102 deny   ip any host 192.168.77.63
access-list 102 deny   ip any host 192.168.77.64
access-list 102 deny   ip any host 192.168.77.65
access-list 102 deny   ip any host 192.168.77.66
access-list 102 deny   ip any host 192.168.77.67
access-list 102 deny   ip any host 192.168.77.68
access-list 102 deny   ip any host 192.168.77.69
access-list 102 deny   ip any host 192.168.77.70
access-list 102 deny   ip any host 192.168.77.71
access-list 102 deny   ip any host 192.168.77.72
access-list 102 deny   ip any host 192.168.77.73
access-list 102 deny   ip any host 192.168.77.74
access-list 102 deny   ip any host 192.168.77.75
access-list 102 deny   ip any host 192.168.77.76
access-list 102 deny   ip any host 192.168.77.77
access-list 102 deny   ip any host 192.168.77.78
access-list 102 deny   ip any host 192.168.77.79
access-list 102 deny   ip any host 192.168.77.80
access-list 102 deny   ip any host 192.168.77.81
access-list 102 deny   ip any host 192.168.77.82
access-list 102 deny   ip any host 192.168.77.83
access-list 102 deny   ip any host 192.168.77.84
access-list 102 deny   ip any host 192.168.77.85
access-list 102 deny   ip any host 192.168.77.86
access-list 102 deny   ip any host 192.168.77.87
access-list 102 deny   ip any host 192.168.77.88
access-list 102 deny   ip any host 192.168.77.89
access-list 102 deny   ip any host 192.168.77.90
access-list 102 deny   ip any host 192.168.77.91
access-list 102 deny   ip any host 192.168.77.92
access-list 102 deny   ip any host 192.168.77.93
access-list 102 deny   ip any host 192.168.77.94
access-list 102 deny   ip any host 192.168.77.95
access-list 102 deny   ip any host 192.168.77.96
access-list 102 deny   ip any host 192.168.77.97
access-list 102 deny   ip any host 192.168.77.98
access-list 102 deny   ip any host 192.168.77.99
access-list 102 deny   ip any host 192.168.77.100
access-list 102 permit ip 192.168.1.0 0.0.0.255 any

access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark SDM_ACL Category=1
access-list 105 deny   ip [pubiprange] 0.0.0.255 any
access-list 105 deny   ip host 255.255.255.255 any
access-list 105 deny   ip 127.0.0.0 0.255.255.255 any
access-list 105 permit ip any any

access-list 109 remark auto generated by SDM firewall configuration
access-list 109 remark SDM_ACL Category=1
access-list 109 permit tcp any eq www any
access-list 109 permit tcp host [myofficeip] eq smtp any
access-list 109 deny   ip 192.168.1.0 0.0.0.255 any
access-list 109 permit icmp any host [mypublicip] echo-reply
access-list 109 permit icmp any host [mypublicip] time-exceeded
access-list 109 permit icmp any host [mypublicip] unreachable
access-list 109 deny   ip 10.0.0.0 0.255.255.255 any
access-list 109 deny   ip 172.16.0.0 0.15.255.255 any
access-list 109 deny   ip 192.168.0.0 0.0.255.255 any
access-list 109 deny   ip 127.0.0.0 0.255.255.255 any
access-list 109 deny   ip host 255.255.255.255 any
access-list 109 deny   ip host 0.0.0.0 any
access-list 109 deny   ip any any log
dialer-list 1 protocol ip permit
no cdp run
!
control-plane

!
line con 0
 no modem enable
 transport preferred all
 transport output all
line aux 0
 transport preferred all
 transport output all
line vty 0 4
 transport preferred all
 transport input telnet ssh
 transport output all
!
scheduler max-task-time 5000
scheduler interval 500
!
end

0
 
LVL 12

Expert Comment

by:pjtemplin
ID: 17875413
Ah, the joys and chaos of SDM.  Your config is quite a mess, unfortunately.

You should only inspect in one direction.  If you should have a good reason to inspect in two directions, you probably want to use two different inspection sets.

On your dialer interface, I'd most likely recomment you only inspect outbound.  That's the direction that client requests would be going when originated from within.  Please try that, and see what the results are.
0
 
LVL 2

Author Comment

by:pip_gazebo
ID: 17927392
Well I tried that on site and it didn't fix things, so I took router to my office, factory reset and reset it to as you suggested.
only inspecting in one direction.  My online banking problem was no more and all internal initiated traffic worked if I inspected either
outbound on my dialer interface or instead inbound on my eth0.  Super.

I tested my incoming connections and they were still not working.  My syslog server showed the packets as being permitted
but nothing was working.  So I enabled inbound inspection and everything started working.  I do not understand why I need to enable
the inspect rule on my inbound dialer interface.  If I understand CBAC correctly, I should only need to apply it
to my internal network's outgoing traffic.  Traffic initiated from the internet is permitted by ACLs and since I am currently
allowing ANY traffic from my LAN to go out, the return traffic for externally initiated connections should be allowed out.

Why then do I need to inspect the inbound traffic in order to get external initiated traffic to work?

I appreciate your advice to use different inspection sets, haven't done so yet but will implement, but why is it necessary to inspect in
two directions?  I have no ACL on my

Here's my current config.  It's all working, just hate not understanding why I have to inspect the inbound dialer traffic.

I'm expecting a 'be glad it's all working' quip, but I would be happy to be enlightened, either way thanks for help.

===================================================

Building configuration...

Current configuration : 6470 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco1
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
enable secret 5 $1$cmbE$O9/z74e0AL74BajV21drL1
!
username <admin> privilege 15 secret 5 $1$6jPZ$vqPRKVBPKjvDJXSQWm2Ch/
username <name> privilege 15 secret 5 $1$ooPI$0Y8nLN5kSM8bPY/0JCl8h0
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa session-id common
ip subnet-zero
!
!
ip domain name domain.local
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 3
 encr 3des
 group 2
!
crypto isakmp client configuration group <vpngroupname>
 key <vpnkey>
 pool SDM_POOL_1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP-3DES-SHA
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
!
interface Ethernet0
 description $ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$$FW_INSIDE$$ETH-LAN$
 ip address 192.168.1.201 255.255.255.0
 ip access-group 100 in
 ip nat inside
 ip tcp adjust-mss 1452
 hold-queue 100 out
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address xx.xx.xx.168 255.255.255.0
 ip access-group 101 in
 ip mtu 1452
 ip nat outside
 ip inspect DEFAULT100 in
 ip inspect DEFAULT100 out  [if I remove this line all works fine, except cannot initiate any tcp traffic
                      [ from the outside (tested 3389 and 5900), everything works if I leave it in.
                            [  syslog shows packets being permitted through the firewall. ]
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname zzzzzzzzzz
 ppp chap password 0 wwwwwwwww
 ppp pap sent-username zzzzzzzz password 0 wwwwwwwwwww
 crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 192.168.33.0 192.168.33.255
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.200 20 xx.xx.xx.168 20 extendable
ip nat inside source static tcp 192.168.1.200 21 xx.xx.xx.168 21 extendable
ip nat inside source static tcp 192.168.1.200 80 xx.xx.xx.168 80 extendable
ip nat inside source static tcp 192.168.1.200 3306 xx.xx.xx.168 3306 extendable
ip nat inside source static tcp 192.168.1.200 3389 xx.xx.xx.168 3389 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.1
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
!
logging 192.168.1.45
access-list 1 remark INSIDE_IF=Ethernet0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip xx.xx.xx.0 0.0.0.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any log
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp any any eq www
access-list 101 permit ip 192.168.33.0 0.0.0.255 any
access-list 101 permit udp any host xx.xx.xx.168 eq non500-isakmp
access-list 101 permit udp any host xx.xx.xx.168 eq isakmp
access-list 101 permit esp any host xx.xx.xx.168
access-list 101 permit ahp any host xx.xx.xx.168
access-list 101 deny   ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any host xx.xx.xx.168 echo-reply
access-list 101 permit icmp any host xx.xx.xx.168 time-exceeded
access-list 101 permit icmp any host xx.xx.xx.168 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
access-list 102 remark SDM_ACL Category=2
access-list 102 deny   ip any 192.168.33.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
route-map SDM_RMAP_1 permit 1
 match ip address 102
!
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------

^C
!
line con 0
 no modem enable
 transport preferred all
 transport output all
line aux 0
 transport preferred all
 transport output all
line vty 0 4
 transport preferred all
 transport input telnet ssh
 transport output all
!
scheduler max-task-time 5000
!
end



0
 
LVL 2

Author Comment

by:pip_gazebo
ID: 17927413
'I have no ACL on my eth0 outbound' (I was trying to say in that sentence that I left hanging) maybe that's why
CBAC needs to inspect the traffic, just dunno....

0
 
LVL 12

Expert Comment

by:pjtemplin
ID: 17927592
I was going to ask WHY you were inspecting in two directions anyway.

CBAC becomes confusing only because one has to make an educated decision on which "side" of the router to use it before they can actually use it.  If you divide your router into "outside" interfaces and "inside" interfaces, that usually helps the battle early on.  It's generally easiest to inspect on whichever (inside/outside) side has fewer interfaces, for your own sanity.

If you want to inspect on an outside interface, you probably want to inspect in the outbound direction.  Put a single ACL (let's call it 111) on the inbound direction to start, and set it to deny all.  With that in place, all of your internal devices should have full Internet access, and the Internet should have no visibility into your network.  If you want the Internet to be able to access something inside, make an opening in ACL 111.  If you want to explicitly prevent internal device(s) from accessing specific external resources, make a new ACL (let's call it 112) with specific 'deny' statements for the resources you want to block, then be sure to follow those deny entries with a 'permit ip any any'.  That's CBAC in a nutshell.  To inspect on an inside interface, inspect the inbound direction, apply ACL 111 in the outbound direction, and if you have an ACL 112 or equivalent, apply that in the inbound direction.

Super-short summary:

The ACL in the same direction as inspection handles explicit traffic refusals.
The ACL in the opposite direction as inspection handles dynamic traffic openings and explicit service openings.
0
 
LVL 2

Author Comment

by:pip_gazebo
ID: 17929402
Thanks again for help, I believe I understand everything you are saying, but I don't know if you got my point.

If I only inspect my lan clients outbound traffic and put an ACL with deny ANY ANY (okay lets call it 111) on my dialer inbound
then my local pcs can reach anything on the web and nothing can get in that is initiated from the outside.  If I then
put a permit statement at start of ACL 111 to let in tcp 3389 (remote desktop) and have a static nat entry back to my internal
server it does not work.  I.e. cannot remote desktop from outside and connect to an internal server.  I find that I must
apply an inspection rule to the Inbound (from the internet) to get it to work.  What you are telling me, is that this
should not be necessary, yet I am finding that this is the only way I can get it to work.  As per the config above.
[When I look at syslog, without the inspection rule applied, it shows me the traffic as being permitted by ACL 111]

What am I missing..., so that I can remove the inspection rule on my dialer0 inbound interface? or do I need to
have the
ip inspect DEFAULT100 in
applied to my dialer0 interface.  [Which I believe you are telling me should not be necessary.]



0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 12

Expert Comment

by:pjtemplin
ID: 17929807
"If I only inspect my lan clients outbound traffic" and "put an ACL on my dialer" are CONTRADICTORY.

If you are inspecting the LAN interface, put the ACL on the LAN interface.
If you are inspecting the dialer interface, put the ACL on the dialer interface.
If you want to inspect just one LAN interface, inspect that one interface.
0
 
LVL 2

Author Comment

by:pip_gazebo
ID: 17930909
Maybe I'm using the wrong terminology.  I am working with 2 interfaces, dialer and eth0.
Each interface can have acls or Inspection rules applied to either the inbound or outbound
direction.  So effectively there are 4 places to put an acl or an inspection rules.

By "If I only inspect my lan clients outbound traffic" I mean if I apply an inspection rule
at dialer0 outbound.  [Apologies for misleading words, I mean traffic initiated on the LAN
which travels from PC to ETH0 INBOUND to DIALER0 OUTBOUND to Internet host, and return
traffic which comes back via DIALER0 INBOUND (where CBAC should allow it thru the ACL we are calling
111) to ETH0 OUTBOUND to the PC.


I have noticed that I can inspect such traffic at either eth0 Inbound or Dialer0 outbound and CBAC
will permit return traffic thru ACL we are calling 111 at dialer0 inbound.  But lets not worry about that added confusion.

In case I have muddied the waters, here is a gross over simplification.
All my traffic initiated on the LAN works fine.  I use an Inspection rule on dialer0 outbound which
permits return traffic through the ACL on dialer0 inbound, hunky dory.
But...
When external pcs try to connect (e.g. tcp 3389 redmote desktop) to internal hosts on my network,
simply creating a permit statement such as Permit ANY ANY TCP 3389 at top of ACL 111
does not work, unless I also add an Inspection rule to Dialer0 Inbound.

Everyone is telling me that I should only need 1 inspection rule applied, so I have to be missing something
basic.

Thanks again, if I can give you more pts in the end I will in light of your patience.
0
 
LVL 12

Expert Comment

by:pjtemplin
ID: 17930945
Show us the EXACT syntax you're trying to use in ACL 111 or equivalent.

Too many ACL problems come from not understanding ACL syntax; this one "should" be simple as 'access-list 111 permit tcp any any eq 3389' but better for us to see it in plain text.  Sometimes folks do 'permit tcp any eq 3389 any' which won't solve your need.
0
 
LVL 2

Author Comment

by:pip_gazebo
ID: 18015871
Marked exact line  with <-$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

At least my config is getting a bit neater I think.  If I dont include that line, (apply Default100
inspection rule to my dialer in) then inbound traffic like, e.g. SMTP doesnt work.  All else is ok.
Everything I read tells me that line shouldnt be needed.

Building configuration...

Current configuration : 6586 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco1

aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
aaa session-id common
ip subnet-zero
!
!
ip domain name domain.local
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
!
!
!
!
crypto isakmp policy 1
<snip>
!
!
!
!
interface Ethernet0
 description $ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$$FW_INSIDE$$ETH-LAN$
 ip address 192.168.1.201 255.255.255.0
 ip access-group 100 in
 ip nat inside
 ip tcp adjust-mss 1452
 hold-queue 100 out
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address [thisrouterspubip] 255.255.255.0
 ip access-group 101 in
 ip mtu 1452
 ip nat outside
 ip inspect DEFAULT100 in   <-$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
 ip inspect DEFAULT100 out
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname <name>
 ppp chap password 0 <passowrd>
 ppp pap sent-username <name> password 0 <password>
 crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 192.168.33.0 192.168.33.255
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.200 20 [thisrouterspubip] 20 extendable
ip nat inside source static tcp 192.168.1.200 21 [thisrouterspubip] 21 extendable
ip nat inside source static tcp 192.168.1.200 25 [thisrouterspubip] 25 extendable
ip nat inside source static tcp 192.168.1.200 80 [thisrouterspubip] 80 extendable
ip nat inside source static tcp 192.168.1.200 3306 [thisrouterspubip] 3306 extendable
ip nat inside source static tcp 192.168.1.200 3389 [thisrouterspubip] 3389 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 [thisroutersgateway]
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
!
access-list 1 remark INSIDE_IF=Ethernet0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip [thisrouterspublicnetwork].0 0.0.0.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any log
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip host [myofficeip1] any
access-list 101 permit ip host [myofficeip2] any
access-list 101 permit ip host [myofficeip3] any
access-list 101 permit tcp any any eq 3306
access-list 101 permit ahp any host [thisrouterspubip]
access-list 101 permit esp any host [thisrouterspubip]
access-list 101 permit udp any host [thisrouterspubip] eq isakmp
access-list 101 permit udp any host [thisrouterspubip] eq non500-isakmp
access-list 101 permit tcp any any eq www
access-list 101 permit ip 192.168.33.0 0.0.0.255 any
access-list 101 deny   ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any host [thisrouterspubip] echo-reply
access-list 101 permit icmp any host [thisrouterspubip] time-exceeded
access-list 101 permit icmp any host [thisrouterspubip] unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
access-list 102 remark SDM_ACL Category=2
access-list 102 deny   ip any 192.168.33.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
route-map SDM_RMAP_1 permit 1
 match ip address 102
!
!
control-plane
!
!
line con 0
 no modem enable
 transport preferred all
 transport output all
line aux 0
 transport preferred all
 transport output all
line vty 0 4
 transport preferred all
 transport input telnet ssh
 transport output all
!
scheduler max-task-time 5000
!
end

0
 
LVL 12

Expert Comment

by:pjtemplin
ID: 18016064
Please stop using the same inspection ruleset in both directions.  If you feel the need to inspect in both directions, do so using two different rulesets.
0
 
LVL 2

Author Comment

by:pip_gazebo
ID: 18028567
done, now 2nd inspections rule is called default200, which brings me back to the question,
why do I need it?  It should not be required right?
0
 
LVL 12

Expert Comment

by:pjtemplin
ID: 18028956
See above: "You should only inspect in one direction.  If you should have a good reason to inspect in two directions, you probably want to use two different inspection sets."
0
 
LVL 2

Author Comment

by:pip_gazebo
ID: 18029007
I have no 'good' reason other than that it don't work unless I do it, my understanding is that I should not have to do it.

Thanks for your help, trying to mind my tone yet be concise and clear, hoping that is how it is coming across.

If you were in my shoes you would not inspect internet traffic (e.g. www) coming into the network right?
Need to know what is wrong with my config that requires me having to inspect the traffic for it to be handled correctly.



0
 
LVL 12

Accepted Solution

by:
pjtemplin earned 500 total points
ID: 18188139
I surrendered before an answer was given to the satisfaction of the original poster, so I don't want the points.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now