Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 674
  • Last Modified:

Cisco Router Access List Help.

Hi,

Im messing around with Access Lists on an 871 Router. Whenever I apply access list 199 inbound to the outside interface all traffic is stopped by the deny ip any any enrty. Is this because the traffic isnt established? I cant seem to add the established property on to an extended ACL.

The whole idea is to try and tighten down what comes in to my router from the outside world.
Any ideas? Thanks.

access-list 199 remark Allow Inbound ICMP
access-list 199 permit icmp any 172.16.100.0 0.0.0.15 echo-reply log
access-list 199 permit icmp any 172.16.100.0 0.0.0.15 source-quench log
access-list 199 permit icmp any 172.16.100.0 0.0.0.15 unreachable log
access-list 199 permit icmp any 172.16.100.0 0.0.0.15 time-exceeded log
access-list 199 deny ip any any log

access-list 200 remark Allow ICMP
access-list 200 permit icmp 172.16.100.0 0.0.0.15 any echo
access-list 200 permit icmp 172.16.100.0 0.0.0.15any traceroute
access-list 200 remark Allow DNS
access-list 200 permit udp 172.16.100.0 0.0.0.15 64.59.114.18 255.255.255.255 eq domain
access-list 200 permit udp 172.16.100.0 0.0.0.15 64.59.114.18 255.255.255.255 eq domain
access-list 200 remark Allow Web
access-list 200 permit tcp 172.16.100.0 0.0.0.15 any eq www
access-list 200 permit tcp 172.16.100.0 0.0.0.15 any eq 443
access-list 200 deny ip any any log

interfave vlan10 (inside interface)
 ip access-group 200 out

interface FastEthernet4 (outside interface)
 ip access-group 199 in
0
MrPrince
Asked:
MrPrince
1 Solution
 
atlas_shudderedSr. Network EngineerCommented:
199 is designed to stop all traffic except for SNMP and a few ICMP ports.  Everything else, including www, smtp, ftp, etc. is being denied as it is built right now.  You'll need to configure a few more lines if you want to allow otherwise.
0
 
MrPrinceAuthor Commented:
From a ASA/Pix point of view, is there any way of allowing established traffic leaving an inside interface to be allowed back in through the oustide interface? My 199 ACL is really for allowing traffic originating from the outside coming in.

Thanks.
0
 
ged125Commented:
I recommned adding:

access-list 199 permit tcp any any established

This will allow TCP return traffic back in after it has been established outbound through access list 200 outbound.  Obviously this line will need to go before the deny any any.  When editing the ACL use the "SHOW IP ACCESS" command to see what line numbers have already been created.

For example:

Extended IP access list 199
    10 permit icmp any 172.16.100.0 0.0.0.15 echo-reply log
    20 permit icmp any 172.16.100.0 0.0.0.15 source-quench log
    30 deny ip any any log

Here you can see that the "Deny ip any any log" is step 30 of this access list.  Given that fact, you don't need to delete and recreate the ACL, just insert a step somewhere before 30 like this:

IP ACCESS EXTENDED 199
  29 permit tcp any any established

The way you have it configured now, TCP requests are going out, but the ACK is being blocked by your inbound ACL.  You are going to need to allow return traffic from your DNS servers as well.

Good luck!
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
bkepfordCommented:
The way that the IOS firewall works is that you inspect out going traffic, to allow it back in and deny incoming.

Here is an example

ip inspect name myfw ftp
ip inspect name myfw tcp
ip inspect name myfw udp

access-list 199 permit icmp any 172.16.100.0 0.0.0.15 echo-reply log
access-list 199 permit icmp any 172.16.100.0 0.0.0.15 source-quench log
access-list 199 permit icmp any 172.16.100.0 0.0.0.15 unreachable log
access-list 199 permit icmp any 172.16.100.0 0.0.0.15 time-exceeded log
access-list 199 deny ip any any log

interfave vlan10 (inside interface)
 ip inspect myfw in

interface FastEthernet4 (outside interface)
 ip access-group 199 in
! or you can inspect traffic going out (ip inspect myfw out)

Here is the support link to the IOS firewall

http://www.cisco.com/en/US/products/sw/secursw/ps1018/tsd_products_support_series_home.html
0
 
MrPrinceAuthor Commented:
Also 199 isn't actually allowing return ICMP traffic as all traffic is beig blocked by the deny ip any any acess entry.
0
 
MrPrinceAuthor Commented:
Thanks guys, I'll try it out this evening. I prefer the sound of the CBAC solution but i also like the granular control of an extended acl. i suppose i could use both?

access-list 200 remark Allow ICMP
access-list 200 permit icmp 172.16.100.0 0.0.0.15 any echo
access-list 200 permit icmp 172.16.100.0 0.0.0.15any traceroute
access-list 200 remark Allow DNS
access-list 200 permit udp 172.16.100.0 0.0.0.15 64.59.114.18 255.255.255.255 eq domain
access-list 200 permit udp 172.16.100.0 0.0.0.15 64.59.114.18 255.255.255.255 eq domain
access-list 200 remark Allow Web
access-list 200 permit tcp 172.16.100.0 0.0.0.15 any eq www
access-list 200 permit tcp 172.16.100.0 0.0.0.15 any eq 443
access-list 200 deny ip any any log

ip inspect name myfw icmp
ip inspect name myfw tcp
ip inspect name myfw udp

interface vlan10 (inside interface)
 ip access-group 200 out
 ip inspect myfw out
0
 
bkepfordCommented:
This configuration is incorrect,

interface vlan10 (inside interface)
 ip access-group 200 out
 ip inspect myfw out

The direction is always in relation to the router so your inspect would be inspecting traffic flowing from the outside to the inside and out to the clients. In most cases you block the traffic as it comes in the router that way no routing has to occur to traffic that is going to be blocked.  I ussually do all blocking and marking of traffic as it enters the router. It is best practice.

It would suggest

interface FastEthernet4 (outside interface)
 ip access-group 199 in

interfave vlan10 (inside interface)
 ip inspect myfw in
0
 
MrPrinceAuthor Commented:
Works a treat, thanks.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now