Solved

Cisco Router, ACLs, NAT and permitting established connections

Posted on 2008-06-22
30
3,437 Views
Last Modified: 2008-09-03
Good evening,

I have a Cisco 877 running the ADVIPSERVICES T-Train image and have the following setup:

                                   +-----------+
LAN |============|Cisco 877|============| Internet
               VLAN2          +-----------+         Dialer0
         10.0.250.0/24

ACL for VLAN2 is Inside_Access_In applied to 'in'
ACL for Dialer0 is Outside_Access_In applied to 'in'

Inside_Access_In:
permit tcp 10.0.250.0 0.0.0.255 any
permit udp 10.0.250.0 0.0.0.255 any
permit icmp 10.0.250.0 0.0.0.255 any
deny ip any any log

Outside_Access_In:
???

Here is my problem - I've tried a few different things on the border ACL such as permitting 'established' connections and such, however whenever the ACL is applied I am unable to browse web pages. Everything else works, such as name resolution, etc. Just can't get a page open.

How do I create this ACL so that NAT will punch holes as it needs but won't expose any open ports on the Cisco to the world? I know I am missing something here, however what still eludes me.

Cheers.
0
Comment
Question by:rslqld
  • 12
  • 11
  • 5
  • +1
30 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 21841272
Can  you post a sanitized config?
0
 
LVL 5

Author Comment

by:rslqld
ID: 21841864
Building configuration...

Current configuration : 3055 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Oblivion
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
no logging console
!
no aaa new-model
!
!
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.250.0 10.0.250.60
ip dhcp excluded-address 10.0.250.250 10.0.250.255
!
ip dhcp pool LAN
   network 10.0.250.0 255.255.255.0
   dns-server 10.0.250.254
   default-router 10.0.250.254
   lease 2
!
ip dhcp pool dhcp_static_matt
   host 10.0.250.10 255.255.255.0
   client-identifier 0100.18f3.0d78.eb
!
!
ip domain lookup source-interface Dialer0
ip domain name Xembler
ip name-server 203.12.160.35
ip name-server 203.12.160.36
ip inspect name myfw tcp
ip inspect name myfw udp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5 <REMOVED>
!
!
archive
 log config
  hidekeys
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface ATM0
 no ip address
 ip virtual-reassembly max-reassemblies 1024
 no ip mroute-cache
 load-interval 30
 no atm ilmi-keepalive
 pvc 8/35
  encapsulation aal5snap
  pppoe-client dial-pool-number 1
 !
 dsl operating-mode auto
!
interface FastEthernet0
 switchport access vlan 2
!
interface FastEthernet1
 switchport access vlan 2
!
interface FastEthernet2
 switchport access vlan 2
!
interface FastEthernet3
 switchport access vlan 2
!
interface Vlan1
 no ip address
!
interface Vlan2
 ip address 10.0.250.254 255.255.255.0
 ip access-group Inside_Access_In in
 ip accounting output-packets
 ip nat inside
 ip virtual-reassembly
!
interface Dialer0
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer idle-timeout 0
 dialer persistent
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap password 0 <REMOVED>
 ppp pap sent-username <REMOVED> password 0 <REMOVED>
 ppp ipcp route default
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
!
!
no ip http server
no ip http secure-server
ip dns server
ip nat inside source static tcp 10.0.250.100 15881 interface Vlan2 15881
ip nat inside source static udp 10.0.250.100 15881 interface Vlan2 15881
ip nat inside source static tcp 10.0.250.10 15881 interface Dialer0 15881
ip nat inside source route-map natmap interface Dialer0 overload
!
ip access-list extended Inside_Access_In
 permit tcp 10.0.250.0 0.0.0.255 any
 permit udp 10.0.250.0 0.0.0.255 any
 permit icmp 10.0.250.0 0.0.0.255 any
 deny   ip any any log
ip access-list extended Outside_Access_In
 permit tcp any any established
ip access-list extended natlist
 deny   ip 10.0.250.0 0.0.0.255 10.0.80.0 0.0.0.255
 permit ip 10.0.250.0 0.0.0.255 any
!
!
!
!
route-map natmap permit 10
 match ip address natlist
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 login local
 transport input all
 transport output ssh
!
scheduler max-task-time 5000
end
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 21841903
If you're running the firewall feature set, the default on the public interface is to only allow traffic that originates from the inside back into the router.

On what interface are you applying the firewall rules?
0
 
LVL 11

Expert Comment

by:rowansmith
ID: 21844243
You do have the Firewall IOS Feature Set correct?

If so then you need to set up IP Inspection Rule(s).

Below is what I do on my border router which is configured in a similar fashion to yours.

Also by default none of your ports on your router are exposed to the outside world unless you specifically enable a NAT function to them.

e.g., to allow telnet to your dialer0 interface you need a NAT rule like this:
ip nat inside source static tcp 10.0.250.254 23 interface Dialer0 23

But if you ever remove the ip nat outside from dialer0, this stops being the case and dialer0 can be telnet'd too and become wide open.

Hope this helps.

-Rowan
!-- Setup CBAC Inspection Rules

!-- There are a whole lot of other things that you can enable personally

!-- I don't bother - TCP and UDP get everything and I only need to worry about layer 7 for FTP.

!-- Note this is about how the box deals with dynamic protocols, the only ones I let out are FTP.

!--

ip cef

ip inspect name myfw tcp

ip inspect name myfw udp

ip inspect name myfw ftp

 

interface FastEthernet0

 ip address 192.168.1.1 255.255.255.0

 ip access-group INT-In in

 ip nat inside

 ip inspect myfw in

 speed auto

!

interface Dialer0

 ip address negotiated <- My ISP give me an IP Address dynamically - you have a static IP address assigned.

 ip access-group EXT-In in

 no ip redirects

 no ip unreachables

 ip nat outside

 encapsulation ppp

 dialer pool 1

 dialer-group 1

 no cdp enable

 ip inspect myfw in <--- you only need this if you want to let traffic from the outside world into your internal network.

                         in my case I allow RDP access to port 3389 this is the only reason why I need this entry.

                         This entry has no effect on the port 22 NAT rule, because port 22 does not EXIT the router.

                         so port 22 NAT works with or without this entry.

 ppp pap sent-username XXXXXXXXX@dsl.clear.net.nz password 0 XXXXXXXXXXXXXXX

 ppp ipcp dns request

!

 

!-- This makes every internal connection from inside interface get translated using PAT

!-- for access to an external box.  This is a global translation.

!-- Anything that matches access-list 1 will be NAT'd, anything that does not match access-list 1 will not be NAT'd.

!-- Really you have to NAT everything because you have private IP addresses inside.

ip nat inside source list 1 interface Dialer0 overload

 

!-- this one NAT's my external Dynamically allocated IP address to port 22 on the inside of my router

!-- This allows me to manage my routyer via SSH from the Internet once I know it's public IP address

ip nat inside source static tcp 192.168.1.1 22 interface Dialer0 22

 

!-- this one would allow port 3389 access to a server on my inside network

!-- when someone connects to the outside interfcae they get translated through to the inside address

ip nat inside source static tcp 192.168.1.7 3389 interface dialer0 3389

 

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

!

!

!-- This is the access-list that goes on the outside interface and lets packets into my network

!-- I only let inport 22 if I had no inbound NAT rules then I would have nothing in this list

!-- except deny ip any any.  This Access-List is added to dynamically by the IOS each time a packet is let out of the firewall.

!-- e.g., if you made a connection to microsoft.com, this access list would have added to to by the IOS permit any packets BACK from microsoft.com

!-- the dynamically added access-list entries can be seen by doing show ip access-list when the box is running.  They get dynamically deleted when

!-- the communications are finished.

ip access-list extended EXT-In

 permit tcp any any eq 22 log

 permit tcp any any eq 3389 log

 deny   ip any any log

 

!-- This accesslist defines what boxes on my internal network are allowed to access the Internet (or the routers interface)

ip access-list extended INT-In

!-- I allow anything on my internal network to telnet http or ssh to the router for management purposes...

 permit ip any host 192.168.1.1

!-- I also allow broadcast because my router is also my DHCP server

 permit ip any host 255.255.255.255

!-- I deny local subnet broadcast - because I just do - this is not necessarily bad or good, but I have nothing on my router that requires 

!-- it to know about the crap that Microsoft Windows sends out.

 deny   ip any host 192.168.1.255

!-- It is good practice to not let out traffic destined for private networks

 deny   ip any 10.0.0.0 0.255.255.255 log

 deny   ip any 172.16.0.0 0.15.255.255 log

 deny   ip any 192.168.0.0 0.0.255.255 log

 deny   ip any 169.254.0.0 0.0.255.255 log

!-- I let out any ICMP - not necessarily best practice but that is what I do..

 permit icmp any any

!-- I let DNS requests go anywhere I damn well please - again should probably be locked down to my upstream DNS Servers

 permit udp any any eq domain

 permit tcp any any eq domain

!-- I allow anything on my internal networks to SSH anywhere in the world

 permit tcp any any eq 22

!-- and FTP and www and https and ntp

 permit tcp any any eq www

 permit tcp any any eq 443

 permit tcp any any eq ftp

 permit udp any any eq ntp

! I have some specical stuff here for my VPN to Work (Checkpoint FW-1 VPN)

!-- i just let everything through to the work Firewalls because I could not be bothered defining rules for

!-- ISAKMP, IPSEC etc etc, at the end of the day I trust work given I run the firewalls

 permit ip any host XXX.XXX.35.129

 permit ip any host XXX.XXX.32.4

 permit ip any host XXX.XXX.32.10

 

!-- everything else trying to get out I log!

!-- I can check the logs and make sure that I am not stopping legitmate traffic.

 deny   ip any any log

 

! NAT overload match address list...

access-list 1 permit any

Open in new window

0
 
LVL 5

Author Comment

by:rslqld
ID: 21861707
Cheers for the responses. My rules will be applied on Dialer0. When I get a chance I will read through the above posted configuration and let you know how I go.
0
 
LVL 11

Expert Comment

by:rowansmith
ID: 21861745
Great
0
 
LVL 5

Author Comment

by:rslqld
ID: 21870246
I've made some changes and for some reason the dynamic allows in my external access list are not occurring as you said - which is the issue:

"This Access-List is added to dynamically by the IOS each time a packet is let out of the firewall.
!-- e.g., if you made a connection to microsoft.com, this access list would have added to to by the IOS permit any packets BACK from microsoft.com
!-- the dynamically added access-list entries can be seen by doing show ip access-list when the box is running.  They get dynamically deleted when
!-- the communications are finished."

ip inspect name myfw tcp
ip inspect name myfw udp


Extended IP access list Outside_Access_In
    10 permit icmp any any echo-reply
    20 permit icmp any any source-quench
    30 permit icmp any any time-exceeded
    40 permit icmp any any host-unreachable
    100 deny ip any any log (67 matches)


interface Dialer0
 ip address negotiated
 ip nat outside
 ip inspect myfw in
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer idle-timeout 0
 dialer persistent
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap password 0 <removed>
 ppp pap sent-username <removed>@L2TP.tpg.com.au password 0 <removed>
 ppp ipcp route default
0
 
LVL 11

Expert Comment

by:rowansmith
ID: 21873018
You have not applied the access list to the interface:

interface Dialer0
 ip access-group Outside_Access_In in

0
 
LVL 5

Author Comment

by:rslqld
ID: 21878138
It was, I removed it because with it enabled I am unable to community with the big wide world. When it is applied my issue as stated occurs.
0
 
LVL 11

Expert Comment

by:rowansmith
ID: 21880481
Do you have

 ip inspect myfw in

on your internal interface?

Can you show me both your access-lists and your interfaces?

You don't need the ip inspect statement on your outside interface if you are not letting anything into your internal network.

Can I also see your NAT rules?
0
 
LVL 5

Author Comment

by:rslqld
ID: 21881756
Here is my entire running config. If an ACL isn't on an interface, ignore that as I've taken it off tonight to troubleshoot issues:


Building configuration...
 

Current configuration : 3043 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Oblivion

!

boot-start-marker

boot-end-marker

!

logging buffered 4096

no logging console

!

no aaa new-model

!

!

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 10.0.250.0 10.0.250.60

ip dhcp excluded-address 10.0.250.250 10.0.250.255

!

ip dhcp pool LAN

   network 10.0.250.0 255.255.255.0

   dns-server 10.0.250.254

   default-router 10.0.250.254

   lease 2

!

ip dhcp pool dhcp_static_matt

   host 10.0.250.10 255.255.255.0

   client-identifier 0100.18f3.0d78.eb

!

!

ip domain lookup source-interface Dialer0

ip domain name Xembler

ip name-server 203.12.160.35

ip name-server 203.12.160.36

ip inspect name myfw tcp

ip inspect name myfw udp

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

multilink bundle-name authenticated

!

!

username admin privilege 15 secret 5 <removed>

!

!

archive

 log config

  hidekeys

!

!

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

!

interface ATM0

 no ip address

 ip virtual-reassembly max-reassemblies 1024

 no ip mroute-cache

 load-interval 30

 no atm ilmi-keepalive

 pvc 8/35

  encapsulation aal5snap

  pppoe-client dial-pool-number 1

 !

 dsl operating-mode auto

!

interface FastEthernet0

 switchport access vlan 2

!

interface FastEthernet1

 switchport access vlan 2

!

interface FastEthernet2

 switchport access vlan 2

!

interface FastEthernet3

 switchport access vlan 2

!

interface Vlan1

 no ip address

!

interface Vlan2

 ip address 10.0.250.254 255.255.255.0

 ip accounting output-packets

 ip nat inside

 ip inspect myfw in

 ip virtual-reassembly

!

interface Dialer0

 ip address negotiated

 ip nat outside

 ip inspect myfw in

 ip virtual-reassembly

 encapsulation ppp

 dialer pool 1

 dialer idle-timeout 0

 dialer persistent

 dialer-group 1

 no cdp enable

 ppp authentication chap callin

 ppp chap password 0 <removed>

 ppp pap sent-username <removed>@L2TP.tpg.com.au password 0 <removed>

 ppp ipcp route default

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 dhcp

!

!

no ip http server

no ip http secure-server

ip dns server

ip nat inside source static tcp 10.0.250.10 15881 interface Dialer0 15881

ip nat inside source route-map natmap interface Dialer0 overload

!

ip access-list extended Inside_Access_In

 permit tcp 10.0.250.0 0.0.0.255 any

 permit udp 10.0.250.0 0.0.0.255 any

 permit icmp 10.0.250.0 0.0.0.255 any

 deny   ip any any log

ip access-list extended Outside_Access_In

 permit icmp any any echo-reply

 permit icmp any any source-quench

 permit icmp any any time-exceeded

 permit icmp any any host-unreachable

 deny   ip any any log

ip access-list extended natlist

 deny   ip 10.0.250.0 0.0.0.255 10.0.80.0 0.0.0.255

 permit ip 10.0.250.0 0.0.0.255 any

!

!

!

!

route-map natmap permit 10

 match ip address natlist

!

!

control-plane

!

!

line con 0

 no modem enable

line aux 0

line vty 0 4

 login local

 transport input all

 transport output ssh

!

scheduler max-task-time 5000

end

Open in new window

0
 
LVL 11

Expert Comment

by:rowansmith
ID: 21882413
Well from what I see it should work, but you're going to need to extend your access lists for DHCP to operate.

I assume you apply the Inside_Access_In to vlan2?

and

Outside_Access_In to dialer0?

Your outside_access-in is also going to need to allow access to 15881 for your static NAT to work.

So is everything working without your access lists?  Start by just adding your outside access list to the dialer0 interface.

Try and browse the internet and then do a "show ip access-lists" do you see any additions at the top of the outside-acl-in list?

If you don't it might be time for some "debug ip inspect" ...
0
 
LVL 11

Expert Comment

by:rowansmith
ID: 21882427
Do you purposely not NAT anything destined for 10.0.80.0/24?  This seems a little odd....
0
 
LVL 11

Expert Comment

by:rowansmith
ID: 21882451
Also execute a show ip inspect lets see what the firewall thinks it should be doing...

This is what mine looks like:

c1720#sh ip inspect all
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [400:500] connections
max-incomplete sessions thresholds are [400:500]
max-incomplete tcp connections per host is 50. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
dns-timeout is 5 sec
Inspection Rule Configuration
 Inspection name myfw
    tcp alert is on audit-trail is off timeout 3600
    udp alert is on audit-trail is off timeout 30
    ftp alert is on audit-trail is off timeout 3600

Interface Configuration
 Interface FastEthernet0
  Inbound inspection rule is myfw
    tcp alert is on audit-trail is off timeout 3600
    udp alert is on audit-trail is off timeout 30
    ftp alert is on audit-trail is off timeout 3600
  Outgoing inspection rule is myfw
    tcp alert is on audit-trail is off timeout 3600
    udp alert is on audit-trail is off timeout 30
    ftp alert is on audit-trail is off timeout 3600
  Inbound access list is INT-In
  Outgoing access list is not set
 Interface Dialer0
  Inbound inspection rule is not set
  Outgoing inspection rule is myfw
    tcp alert is on audit-trail is off timeout 3600
    udp alert is on audit-trail is off timeout 30
    ftp alert is on audit-trail is off timeout 3600
  Inbound access list is EXT-In
  Outgoing access list is not set

Established Sessions
 Session 820EA7D4 (192.168.1.65:53023)=>(203.167.223.235:80) tcp SIS_OPEN
0
 
LVL 11

Expert Comment

by:rowansmith
ID: 21882525
Here is a cleaner output I had been playing with it:

c1720#sh ip inspect all
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [400:500] connections
max-incomplete sessions thresholds are [400:500]
max-incomplete tcp connections per host is 50. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
dns-timeout is 5 sec
Inspection Rule Configuration
 Inspection name myfw
    tcp alert is on audit-trail is off timeout 3600
    udp alert is on audit-trail is off timeout 30
    ftp alert is on audit-trail is off timeout 3600

Interface Configuration
 Interface FastEthernet0
  Inbound inspection rule is myfw
    tcp alert is on audit-trail is off timeout 3600
    udp alert is on audit-trail is off timeout 30
    ftp alert is on audit-trail is off timeout 3600
  Outgoing inspection rule is not set
  Inbound access list is INT-In
  Outgoing access list is not set

Established Sessions
 Session 820EA7D4 (192.168.1.65:53023)=>(203.167.223.235:80) tcp SIS_OPEN

c1720#sh ip access-lists
Standard IP access list 1
    10 permit any (650240 matches)
Extended IP access list EXT-In
     permit tcp host 216.52.17.134 eq www host 121.72.170.240 eq 49518 (5 matches)
     permit tcp host 64.156.132.140 eq www host 121.72.170.240 eq 49517 (15 matches)
     permit tcp host 203.167.223.235 eq www host 121.72.170.240 eq 53023 (14 matches)
     permit tcp host 206.65.171.167 eq www host 121.72.170.240 eq 49516 (3 matches)
    10 deny ip 10.0.0.0 0.255.255.255 any log
    20 deny ip 172.16.0.0 0.15.255.255 any log (1 match)
    30 deny ip 192.168.0.0 0.0.255.255 any log
    40 deny ip 169.254.0.0 0.0.255.255 any log
    400 permit tcp any any eq 22 log (176 matches)
    10000 deny ip any any log (3144 matches)
Extended IP access list INT-In
    500 permit ip any host 192.168.1.1 (225213 matches)
    600 permit ip any host 255.255.255.255 (2166 matches)
    1000 deny ip any host 192.168.1.255 (139758 matches)
    1100 deny ip any 10.0.0.0 0.255.255.255 log (3 matches)
    1200 deny ip any 172.16.0.0 0.15.255.255 log
    1300 deny ip any 192.168.0.0 0.0.255.255 log
    1400 deny ip any 169.254.0.0 0.0.255.255 log (76 matches)
    2000 permit icmp any any (195 matches)
    2100 permit udp any any eq domain (421569 matches)
    2200 permit tcp any any eq domain (1540 matches)
    2300 permit tcp any any eq 22 (1565 matches)
    2400 permit tcp any any eq www (4815609 matches)
    2500 permit tcp any any eq 443 (142554 matches)
    2600 permit tcp any any eq ftp
    2700 permit udp any any eq ntp (64 matches)
    2800 permit ip any host 203.144.35.129
    2900 permit ip any host 203.144.32.4
    3000 permit ip any host 203.144.32.10
    90000 deny ip any any log (1666 matches)


0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 2

Expert Comment

by:litmuslogic
ID: 21884793
Hi.  Try the following, change this line

ip inspect myfw in

to

ip inspect myfw out

on both Dialer0 and your Vlan2

You want the box to inspect your outbound traffic, in order to setup a state.  In other words, as the connections from the inside to the outside are created, you want the IOS to take notice of the destination address and then dynamically create an acl to allow the traffic sourced from that destination back into your network.    The way you have it now, you are inspecting the inbound traffic.   This information isn't 'interesting' to the router in this case, since you are not doing outbound filtering based on the destination address -- your egress filtering is based on your source.  

Anyway, give it a shot, let us know what happens :)



0
 
LVL 5

Author Comment

by:rslqld
ID: 21887935
- I assume you apply the Inside_Access_In to vlan2?
Yep.


- Outside_Access_In to dialer0?
Yep. I try to name rules to be pretty obvious.


- So is everything working without your access lists?
Yes.


- Do you purposely not NAT anything destined for 10.0.80.0/24?  This seems a little odd....
That subnet is work head office which is just in the nat rules when I was playing with VPN'ing to our border ASA. Put on hold for now.


For safety sake I've set 'ip inspect myfw in' and 'ip inspect myfw out' on both VLAN2 and Dialer0

After browsing the web a bit the ACLs are as follows:

Extended IP access list Inside_Access_In
    10 permit tcp 10.0.250.0 0.0.0.255 any (460274 matches)
    20 permit udp 10.0.250.0 0.0.0.255 any (43289 matches)
    30 permit icmp 10.0.250.0 0.0.0.255 any (65 matches)
    40 deny ip any any log (1423 matches)
Extended IP access list Outside_Access_In
    10 permit icmp any any echo-reply
    20 permit icmp any any source-quench
    30 permit icmp any any time-exceeded
    40 permit icmp any any host-unreachable
    100 deny ip any any log (273 matches)
Extended IP access list natlist
    5 deny ip 10.0.250.0 0.0.0.255 10.0.80.0 0.0.0.255 (2 matches)
    10 permit ip 10.0.250.0 0.0.0.255 any (849650 matches)

NO CHANGE!

Running an 'sh logging' provides the following:

*Apr  9 22:17:45.083: %SEC-6-IPACCESSLOGP: list Outside_Access_In denied tcp 64.12.28.150(5190) -> 60.240.85.246(2149), 6 packets
*Apr  9 22:17:45.083: %SEC-6-IPACCESSLOGP: list Outside_Access_In denied tcp 66.163.181.189(5050) -> 60.240.85.246(4719), 8 packets
*Apr  9 22:18:01.707: %SEC-6-IPACCESSLOGP: list Outside_Access_In denied tcp 60.190.118.244(80) -> 60.240.85.246(14175), 1 packet
*Apr  9 22:18:45.083: %SEC-6-IPACCESSLOGP: list Outside_Access_In denied tcp 64.12.165.109(5190) -> 60.240.85.246(2166), 15 packets
*Apr  9 22:18:45.083: %SEC-6-IPACCESSLOGP: list Outside_Access_In denied udp 203.12.160.35(53) -> 60.240.85.246(53), 145 packets
*Apr  9 22:18:45.083: %SEC-6-IPACCESSLOGP: list Outside_Access_In denied tcp 64.12.30.96(5190) -> 60.240.85.246(3066), 15 packets


So, no progress. Something is fubar'd :(
Having -only- my outside_access_in didn't change anything - can't browse, can't even run an nslookup from CLI.


Output of 'show ip inspect all'

Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [unlimited : unlimited] connections
max-incomplete sessions thresholds are [unlimited : unlimited]
max-incomplete tcp connections per host is unlimited. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 5 sec
Inspection Rule Configuration
 Inspection name myfw
    tcp alert is on audit-trail is off timeout 3600
    udp alert is on audit-trail is off timeout 30

Interface Configuration
 Interface Vlan2
  Inbound inspection rule is myfw
    tcp alert is on audit-trail is off timeout 3600
    udp alert is on audit-trail is off timeout 30
  Outgoing inspection rule is myfw
    tcp alert is on audit-trail is off timeout 3600
    udp alert is on audit-trail is off timeout 30
  Inbound access list is not set
  Outgoing access list is not set
 Interface Dialer0
  Inbound inspection rule is myfw
    tcp alert is on audit-trail is off timeout 3600
    udp alert is on audit-trail is off timeout 30
  Outgoing inspection rule is myfw
    tcp alert is on audit-trail is off timeout 3600
    udp alert is on audit-trail is off timeout 30
  Inbound access list is Outside_Access_In
  Outgoing access list is not set
0
 
LVL 11

Expert Comment

by:rowansmith
ID: 21888597
This is really weird.

Are you prepared to give me remote ssh access to your router?

I am in New Zealand, call me to discuss if you like.  +64277335564

-Rowan
0
 
LVL 5

Author Comment

by:rslqld
ID: 21889281
Thanks very much for your help Rowan, this is just weird and borked on many levels.
0
 
LVL 2

Expert Comment

by:litmuslogic
ID: 21892190
Rslqld, I am sorry, I don't understand from your post -- did you try making the change that I suggested?  

ip inspect myfw out?

NOT in AND out, just out?
0
 
LVL 2

Expert Comment

by:litmuslogic
ID: 21892223
Rslqld, one more things -- just to check could you please post the result of

show ip route

Thanks!
0
 
LVL 2

Expert Comment

by:litmuslogic
ID: 21892242
Yet one more thing, please -- the output of

show ip int brief


I am trying to understand where the IP addresses in your log are coming from.




0
 
LVL 5

Author Comment

by:rslqld
ID: 21892341
Yes, I tried just OUT as well. Rowansmith was good enough to SSH in and take a look and the problem seems to be that the inspect objects aren't be added dynamically to the outter ACL. debug on inspect shows they are being created and destroyed, just not appended to the ACL as part of the process.

But here is the data you requested:

Gateway of last resort is 202.7.162.158 to network 0.0.0.0

     10.0.0.0/24 is subnetted, 1 subnets
C       10.0.250.0 is directly connected, Vlan2
     202.7.162.0/32 is subnetted, 1 subnets
C       202.7.162.158 is directly connected, Dialer0
     60.0.0.0/32 is subnetted, 1 subnets
C       60.240.85.246 is directly connected, Dialer0
S*   0.0.0.0/0 [1/0] via 202.7.162.158


Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0              unassigned      YES unset  up                    up  
FastEthernet1              unassigned      YES unset  up                    down
FastEthernet2              unassigned      YES unset  up                    up  
FastEthernet3              unassigned      YES unset  up                    down
ATM0                       unassigned      YES NVRAM  up                    up  
Vlan1                      unassigned      YES NVRAM  up                    down
Vlan2                      10.0.250.254    YES NVRAM  up                    up  
NVI0                       unassigned      NO  unset  up                    up  
Dialer0                    60.240.85.246   YES IPCP   up                    up  
Virtual-Access1            unassigned      YES unset  up                    up  
0
 
LVL 11

Expert Comment

by:rowansmith
ID: 21892604
I have applied your config verbatim to my cisco 1700 and it works flawlessly.

I can not have a vlan2 on my architecture I used FE0 that is the only difference between the configs.

Your configuration is correct.  Have you tried upgrading to the T5 release to see if this fixes the problem?

Failing that you are going to need to log a fault with the Cisco TAC via your vendor.
0
 
LVL 5

Author Comment

by:rslqld
ID: 21892972
Not had a chance to flash to T5 yet - seem to have misplaced my stash of Cisco console cables....how I do not know, I've got to have at least 50 of them and can't find a single one.
0
 
LVL 11

Assisted Solution

by:rowansmith
rowansmith earned 500 total points
ID: 21913633
Any luck with this?
0
 
LVL 5

Author Comment

by:rslqld
ID: 21913645
So far had no chance to upgrade to T5 - is on a very long list of things to do. Will post back when I get a chance (hopefully this weekend).
0
 
LVL 5

Author Comment

by:rslqld
ID: 21935150
I finally had a chance to sit and flash to the T5 however it has not helped the situation - ACLs are not being updated dynamically as we'd expect. I am going to try the advipsecurity image at some point and let you know.
0
 
LVL 5

Accepted Solution

by:
rslqld earned 0 total points
ID: 21935213
I fixed it!!!

Needed 'router-traffic' appended to the ip inspect ruleset:

ip inspect name myfw tcp router-traffic
ip inspect name myfw udp router-traffic

Oblivion(config)#ip inspect name myfw tcp ?
  alert           Turn on/off alert
  audit-trail     Turn on/off audit trail
  router-traffic  Enable inspection of sessions to/from the router
  timeout         Specify the inactivity timeout time
  <cr>
0
 
LVL 2

Expert Comment

by:litmuslogic
ID: 21989410
Interesting!  Well, congrats!! :)
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now