?
Solved

Cisco Router CBAC & PPTP

Posted on 2009-07-01
6
Medium Priority
?
1,095 Views
Last Modified: 2012-05-07
Hi,

Im having problems configuring CBAC on a Cisco 871 router -  12.4(22)T. Im getting traffic in and out of the box but certain protocols dont seem to work, specifically PPTP and ICMP. Below are the pertinent parts of my config:

ip inspect name Global_IE tcp
ip inspect name Global_IE udp
ip inspect name Global_IE icmp
ip inspect name Global_IE pptp
!
interface Vlan10
ip address 172.16.0.1 255.255.255.252
 ip access-group Vestibule_Outbound in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0
 switchport access vlan 10
 duplex full
 speed 100
!
interface FastEthernet4
 ip address dhcp
 ip access-group Inbound in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip ips Global_IPS in
 ip ips Global_IPS out
 ip inspect Global_IE out
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip access-list extended Vestibule_Outbound
 permit ip any any
 deny   ip any any log
!
ip access-list extended Inbound
remark Permit DHCP
 permit udp any eq bootps any eq bootpc
deny   ip any any log
!


My understanding of the above configuration is that:

1. PPTP traffic  is allowed by the Vestibule_Outbound ACL inbound to VLAN 10
2. The traffic leaves the fa4 interface since no Outbound ACL is applied.
3. CBAC opens a temporary ACE at the top of the Inbound ACL to allow the return traffic (GRE)

If I let SDM do the configuration I end up with an ACE of permit tcp any any eq gre on the Inbound ACL.  The same for ICMP & NTP. Although this works doesnt this simply open up a hole in the network? Isnt CBAC supposed to allow return traffic dynamically rather than having a specific ACE? Im having the same problem with ICMP too.

Can anyone explain the processing rules that CBAC uses? Ive read conflicting statements that CBAC:

1. First checks the traffic against an ACL then inspects it, if configured to, and finally amends the corresponding ACL to allow the return traffic.

2. Inspects the traffic first then amends the corresponding ACL to allow the return traffic.

Im confused. What is the correct way to accomplish this?

Thanks.
0
Comment
Question by:MrPrince
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 24760587
That's the way it is supposed to work, but CBAC has problems with connectionless protocols like UDP, and GRE (in my experience).

Allowing GRE in is not much of a security risk, because by definition, it is an encapsulation protocol.  Something on the inside of your network has to decapsulate it.

I would use the GRE keyword, though:  permit gre any any

Similarly, I've had to add ACL entries similar to:

deny icmp any any redirect
deny icmp any any timestamp-request
deny icmp any any echo
permit icmp any any

(Alternately, you can add permit statements for echo-reply, time exceeded, administratively prohibited, etc.)
0
 
LVL 28

Expert Comment

by:asavener
ID: 24760594
I'll also note that PPTP first uses a TCP connection on port 1723 and then the GRE encapsulation.  The "ip inspect name <name> pptp" might focus primarily on the TCP session.
0
 
LVL 28

Expert Comment

by:asavener
ID: 24760599
Final note: I"ve had to put explicit access list entries in for DNS and SNTP as well.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:MrPrince
ID: 24760691
Oh Ok, so it's working as well as to be expected then. In the end i added the ACE for the GRE tunnel, i know the IP is genuine so it's not a massive security risk. Can you recommend any good protocol timeouts by any chance? I don't know the best practises on those.

Cheers.
0
 
LVL 28

Accepted Solution

by:
asavener earned 600 total points
ID: 24762679
Generally, I've used the defaults unless I had a particular reason to adjust them.  (For example, some clients have applications that they leave open but inactive, and the idle timeout will cause them to have to reconnect; in those cases I've increased the idle timeout.  In another case, they were getting flooded by SYN packets; I reduced the half-open timeout as well as using the half-open connection limits.)
0
 

Author Comment

by:MrPrince
ID: 24768444
Thanks.
0

Featured Post

Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question