Solved

cisco access list help

Posted on 2010-11-15
40
860 Views
Last Modified: 2012-05-10
hi all below is my current inbound acl applied to my dialer interface with in direction

i have nat rules that forward all the traffic, smtp, https, http, mysql to the address 192.168.20.1 (my firewall)

but as you can see i have applied the acl INBOUND on my dialer int, and the matches arent giong up, ive even tested our website externally and the increments havent gone up

also u have gre tunnels on 192.168.100.0/248 so ive added
    80 permit udp 192.168.96.0 0.0.15.255 any eq isakmp
and those incements arent going up either

anyone help me out getting my acl working?

network goes

INTERNET------- VLAN 101 (192.168.101.0/24) - VLAN 201 (192.168.201.0/24) - TUNNEL 1 (192.168.100.0/24)
Extended IP access list INBOUND

    10 permit tcp 192.168.96.0 0.0.15.255 any eq 22

    20 permit tcp 172.30.0.0 0.0.7.255 any eq 22

    30 deny tcp any any eq 22 (8 matches)

    40 deny tcp any host 192.168.101.254 eq telnet

    50 deny tcp any host 192.168.201.254 eq telnet

    60 permit tcp 192.168.96.0 0.0.7.255 192.168.96.0 0.0.7.255 eq telnet

    70 deny tcp any any eq telnet

    80 permit udp 192.168.96.0 0.0.15.255 any eq isakmp

    90 permit tcp any host 192.168.201.1 eq www

    100 permit tcp any host 192.168.101.5 eq www

    110 permit tcp any host 192.168.201.1 eq 443

    120 permit tcp any host 192.168.101.5 eq 443

    130 permit tcp any host 192.168.201.1 eq 3306

    140 permit tcp any host 192.168.101.5 eq 3306

    150 permit tcp any host 192.168.201.1 eq smtp

    160 permit tcp any host 192.168.101.2 eq smtp

    170 permit ip any any (821805 matches)

Open in new window

0
Comment
Question by:awilderbeast
  • 18
  • 12
  • 7
  • +1
40 Comments
 
LVL 12

Expert Comment

by:Faruk Onder Yerli
ID: 34140313
hello awilderbeast;

you need to send all configuration about NAT, NAT interface and related ACL's. Or entire config. NAT is not just related with ACL.
0
 
LVL 1

Author Comment

by:awilderbeast
ID: 34143859
ok here it is

I noticed the public ip acl has gone up

i figured that i may have to make the acl for the public ip as ive added it to the dilaer 1 interface inbound, it wont understand internal ranges yes?

so i think i need to change all the local ranges in the inbound list to public ip?

not too sure about the gre tunnels yet though

cheers
ip nat inside source static tcp 192.168.201.1 80 interface Dialer1 80

ip nat inside source static tcp 192.168.201.1 3306 interface Dialer1 3306

ip nat inside source static tcp 192.168.201.1 25 interface Dialer1 25

ip nat inside source static tcp 192.168.201.1 443 interface Dialer1 443



Extended IP access list EXTERNAL_ACCESS

    10 deny ip 192.168.101.0 0.0.0.255 172.30.2.0 0.0.0.255 (97754 matches)

    20 deny ip 192.168.101.0 0.0.0.255 172.30.3.0 0.0.0.255 (42956 matches)

    30 permit tcp any any eq smtp (1015 matches)

    40 permit tcp any any eq 443 (24331 matches)

    50 permit ip 192.168.11.0 0.0.0.255 any

    60 permit ip 192.168.12.0 0.0.0.255 any

    70 permit ip 192.168.101.0 0.0.0.255 any (1211557 matches)

    80 permit ip 192.168.201.0 0.0.0.255 any (56223 matches)

    90 permit ip 192.168.250.0 0.0.0.255 any (22 matches)

    100 deny ip any any (785504 matches)

Extended IP access list INBOUND

    10 permit tcp 192.168.96.0 0.0.15.255 any eq 22

    20 permit tcp 172.30.0.0 0.0.7.255 any eq 22

    30 deny tcp any any eq 22 (16 matches)

    40 deny tcp any host 192.168.101.254 eq telnet

    50 deny tcp any host 192.168.201.254 eq telnet

    60 permit tcp 192.168.96.0 0.0.7.255 192.168.96.0 0.0.7.255 eq telnet

    70 deny tcp any any eq telnet (4 matches)

    80 permit udp 192.168.96.0 0.0.15.255 any eq isakmp

    89 permit tcp any host 7x.xxx.xxx.xxx eq www (34374 matches)

    90 permit tcp any host 192.168.201.1 eq www

    100 permit tcp any host 192.168.101.5 eq www

    110 permit tcp any host 192.168.201.1 eq 443

    120 permit tcp any host 192.168.101.5 eq 443

    130 permit tcp any host 192.168.201.1 eq 3306

    140 permit tcp any host 192.168.101.5 eq 3306

    150 permit tcp any host 192.168.201.1 eq smtp

    160 permit tcp any host 192.168.101.2 eq smtp

    170 permit ip any any (2040728 matches)





interface Loopback0

 ip address 192.168.250.1 255.255.255.0

 !

!

interface Tunnel1

 ip address 192.168.100.1 255.255.255.0

 no ip redirects

 ip mtu 1400

 ip nhrp map multicast dynamic

 no ip split-horizon eigrp 100

 tunnel source Dialer1

 tunnel mode gre multipoint

  tunnel protection ipsec profile DMVPN

 !

!

interface ATM0

 description PPP DIALER

 no ip address

 no atm ilmi-keepalive

 !

 pvc 1/50

  dialer pool-member 1

  protocol ppp dialer

 !

!

interface FastEthernet2

 description Suite 2 LAN

 switchport access vlan 101

 duplex half

 speed 10

 !

!

interface FastEthernet3

 description Suite 2 Firewall

 switchport access vlan 201

 duplex half

 speed 10

 !

!

interface Virtual-Template1 type tunnel

 ip unnumbered Loopback0

 tunnel mode ipsec ipv4

 tunnel protection ipsec profile DMVPN

 !

!

interface Vlan1

 ip address 192.168.11.254 255.255.255.0

 ip helper-address 192.168.101.1

 ip nat inside

 ip virtual-reassembly

 !

!

interface Vlan2

 ip address 192.168.12.254 255.255.255.0

 ip helper-address 192.168.101.1

 ip nat inside

 ip virtual-reassembly

 !

!

interface Vlan101

 ip address 192.168.101.254 255.255.255.0

 ip helper-address 192.168.101.1

 ip nat inside

 ip virtual-reassembly

 !

!

interface Vlan201

 ip address 192.168.201.254 255.255.255.0

 ip nat inside

 ip virtual-reassembly

 !

!

interface Dialer1

 ip address negotiated

 ip access-group INBOUND in

 ip nat outside

 ip virtual-reassembly

 encapsulation ppp

 ip tcp adjust-mss 1300

 load-interval 30

 dialer pool 1



 no cdp enable

 crypto map RemoteVPNS

 !

Open in new window

0
 
LVL 17

Expert Comment

by:mikecr
ID: 34517199
Keep in mind that ACL's won't work on the private addressing if the public IP address is what the people are connecting to on the outside world. Your access list needs to specifiy the public IP that they see on the outside world because NAT doesn't take place unless a packet crosses two interfaces. Change to public IP"s and see if your access list increments then.
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 34517261
Inbound traffic on dialer interface (from internet) is always sourced from public addresses. Why do you have permits for traffic sourced from 192.168-addresses?

/Kvistofta
0
 
LVL 1

Author Comment

by:awilderbeast
ID: 34517402
yeah thats what ive just realised, why would internal ips come in on the pulic int, ive cleaned it up to look like this now...

3306 is mysql, but the mysql server is hosted on the same machine as the webserver, its the web server that processes the mysql requests isnt it, the clients connecting will not need to have access to port 3306 will they? nor 1433 for sql server?

you see im working to get rid of that permit ip any any, i have TMG sorting out the traffic but an acl will help alot i know so i want rid of it without taking down services

we have ipsec gre tunnels operating on this public ip, do i need to allow those to my public ip?
are they UDP 500? and...?

im trying to think of all the services we use that need imcomign traffic from a public ip, what are some other standard ports?

Thanks for your help
Extended IP access list INBOUND

    10 deny tcp any any eq 22 (1520 matches)

    20 deny tcp any any eq telnet (961 matches)

    30 permit tcp any host 7x.xxx.xxx.xxx eq www (3240300 matches)

    40 permit tcp any host 7x.xxx.xxx.xxx eq smtp (31 matches)

    50 permit tcp any host 7x.xxx.xxx.xxx eq 443 (16 matches)

    60 permit tcp any host 7x.xxx.xxx.xxx eq 3306

    70 permit ip any any (383310925 matches)

Open in new window

0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 34517441
No you will probably not have incoming mysql-traffic from internet unless it is inside a vpn-tunnel.

you have gre-tunnel but since they are protected by ipsec all you need to ipen is isakmp (udp/500) and esp (ip/50). So you need to allow those to your routers public ip from anyone you want to vpn with.

What else? Do you manage your router over internet? You deny ssh in line 1 but wouldnt it be nice to be able to control your router over ssh from internet?

Anything else I can help you with in this matter?

/Kvistofta
0
 
LVL 1

Author Comment

by:awilderbeast
ID: 34517571
ok sorted that out now i think, just hope nothign goes down when i deny

just another thought too

when i deny, returning web traffic will not be allowed in from users

if i add this...

CBAC
ip inspect name UserTraffic http
ip inspect name UserTraffic https

int vlan 101 (user vlan)
ip inspect UserTraffic out
int vlan 201 (firewall vlan)
ip inspect UserTraffic out

will that allow the traffic to return ok?
do i need to do the same for any other traffic?
0
 
LVL 17

Expert Comment

by:mikecr
ID: 34517642
I would agree, you won't have any database traffic coming over the internet, it's a bad idea anyhow. Don't forget to add Protocol 51 also for IPSEC AH.
0
 
LVL 1

Author Comment

by:awilderbeast
ID: 34517672
is ipsec AH tcp?
is there any other protocols for the vpns?

71 permit tcp any host 7x.xxx.xxx.xxx eq 51

and is my CBAC list ok for web traffic?

CBAC
ip inspect name UserTraffic http
ip inspect name UserTraffic https

int vlan 101 (user vlan)
ip inspect UserTraffic out
int vlan 201 (firewall vlan)
ip inspect UserTraffic out
0
 
LVL 17

Expert Comment

by:mikecr
ID: 34517688
IP inspect for http/https is commonly used for url filtering like Websense or Surfcontrol. Are you using these products or are you using the "java-list" filter for java applets?
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 34517718
no, ipsec is normally isakmp (udp/500) and either esp (ip/50) or ah (ip/51).

ip/50 means that it is a specific ip-protocol just as tcp/udp

permit udp any any eq 500
permit esp any any

And yes your cbac looks good.

/Kvistofta
0
 
LVL 1

Author Comment

by:awilderbeast
ID: 34517786
do i need to permit GRE ?

permit gre any host 7xx.xxx.xxx.xxx

i have forefront TMG to handle the web traffic
when i turn on the deny any any on my inbound users returning web traffic would be blocked would it
so the CBAC would allow the traffic to return yes?

Thanks
0
 
LVL 1

Author Comment

by:awilderbeast
ID: 34517804
also i dont need to permit eigrp do i, as thats encapsulated in an IPSEC packet?


Thanks
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 34517828
No, you dont. You are right. ;)

/Kvistofta
0
 
LVL 1

Author Comment

by:awilderbeast
ID: 34517869
do i need to allow gre or is that encapsulated also?

and the cbac is best solution for returning traffic and having an deny any on the inbound?

thankyou
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 34518488
No you do not have to care about gre since that is encapsulated.

Yes, cbac is a good solution for return traffic and you should keep a very tight acl for inbound traffix.

/Kvistofta
0
 
LVL 17

Expert Comment

by:mikecr
ID: 34519858
IP Inspect works on a session basis so if outbound traffic is allowed, then it will pass and vice versa.
0
 
LVL 1

Author Comment

by:awilderbeast
ID: 34523503
i just put in my deny ip any any and had to remove it straight away, could not browse the web

ive included relevant config below if you could check it over?

it all looks right to me, but obviously cant be

Thanks
Extended IP access list INBOUND
    10 deny tcp any any eq 22 (1537 matches)
    20 deny tcp any any eq telnet (961 matches)
    30 permit tcp any host 7x.xxx.xxx.xxx eq www (3301932 matches)
    40 permit tcp any host 7x.xxx.xxx.xxx3 eq smtp (10500 matches)
    50 permit tcp any host 7x.xxx.xxx.xxx eq 443 (6418 matches)
    60 permit udp any host 7x.xxx.xxx.xxx eq isakmp (6954 matches)
    70 permit esp any host 7x.xxx.xxx.xxx (433555 matches)
    80 permit ahp any host 7x.xxx.xxx.xxx
    90 permit ip any any (384174231 matches)
Extended IP access list OUTBOUND
    10 deny ip 192.168.101.0 0.0.0.255 172.30.2.0 0.0.0.255 (9 matches)
    20 deny ip 192.168.101.0 0.0.0.255 172.30.3.0 0.0.0.255 (9 matches)
    30 permit tcp any any eq smtp (3 matches)
    40 permit tcp any any eq 443 (335 matches)
    50 permit ip 192.168.101.0 0.0.0.255 any (12653 matches)
    60 permit ip 192.168.201.0 0.0.0.255 any (748 matches)
    70 permit ip 192.168.250.0 0.0.0.255 any
    80 deny ip any any (5437 matches)

interface Dialer1
 ip address negotiated
 ip access-group INBOUND in
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1300
 load-interval 30
 dialer pool 1
 ppp chap hostname 
 ppp chap password 
 no cdp enable
 crypto map RemoteVPNS
 !
end

ip nat inside source list OUTBOUND interface Dialer1 overload

ip inspect name UserTraffic http
ip inspect name UserTraffic https

interface Vlan101
 ip address 192.168.101.254 255.255.255.0
 ip helper-address 192.168.101.1
 ip nat inside
 ip inspect UserTraffic out
 ip virtual-reassembly
 !
end
interface Vlan201
 ip address 192.168.201.254 255.255.255.0
 ip nat inside
 ip inspect UserTraffic out
 ip virtual-reassembly
 !
end

Open in new window

0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 34524248
In your "permit ip any any"-statement at the end, try to add "log" at the end to make the router log all individual hits on that line. Then you´ll see exactly what is being hit there. If you have a newer IOS you can also add "tag WHATEVER" to make the tag "WHATEVER" mark your logging lines.

/Kvistofta
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 1

Author Comment

by:awilderbeast
ID: 34524265
i can just see web and dns traffic getting passed through, but when i denied all and tried to let cbac let the web traffic through it failed, dns issue? i need to allow dns through cbac or allow dns to the router?
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 34524455
I dont think that your cbac works. Can you post your entire config?

/Kvistofta
0
 
LVL 1

Author Comment

by:awilderbeast
ID: 34524495
here it is, minus sensitive info

thanks
!
! Last configuration change at 22:07:11 CST Mon Jan 10 2011 by admin
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CWCH
!
boot-start-marker
boot-end-marker
!
logging buffered 8192
enable secret 5  
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login NO_LOGIN none
aaa authentication login admin local
aaa authentication login RA_AUTH group radius local
aaa authorization network RA_CWORKS local 
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone CST 5
clock summer-time CDT recurring
clock save interval 24
!
crypto pki trustpoint TP-self-signed-264716771
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-264716771
 revocation-check none
 rsakeypair TP-self-signed-264716771
!
!
crypto pki certificate chain TP-self-signed-264716771
 
  	quit
dot11 syslog
ip source-route
!
!
ip dhcp smart-relay
no ip dhcp relay information check
!
!
ip cef
ip domain name  
ip name-server 213.249.130.100
ip name-server 192.168.101.1
ip inspect name UserTraffic http
ip inspect name UserTraffic https
ip dhcp-server 192.168.101.1
login block-for 180 attempts 5 within 60
login delay 2
login quiet-mode access-class QUIETMODE
login on-failure log every 3
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
archive
 log config
  hidekeys
username admin privilege 15 secret 5 
!
!
ip ssh version 2
!
! 
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 15
 encr 3des
 authentication pre-share
!
crypto isakmp policy 20
 encr 3des
 authentication pre-share
 group 2
 lifetime 7800
crypto isakmp key   address 0.0.0.0 0.0.0.0
crypto isakmp fragmentation
crypto isakmp keepalive 10 4
crypto isakmp nat keepalive 30
!
crypto isakmp client configuration group RA_CWORKS
 key C0nstrucT
 dns 192.168.101.1
 domain  
 pool vpnclient
crypto isakmp profile VPNclient
   match identity group RA_CWORKS
   client authentication list RA_AUTH
   isakmp authorization list RA_CWORKS
   client configuration address respond
   virtual-template 1
!
crypto ipsec security-association idle-time 7800
!
crypto ipsec transform-set DMVPN_SET esp-3des esp-sha-hmac 
 mode transport
crypto ipsec transform-set RemoteVPNS ah-sha-hmac esp-3des 
crypto ipsec transform-set TraceyVPN esp-3des esp-sha-hmac 
crypto ipsec transform-set JuneVPN esp-3des esp-sha-hmac 
!
crypto ipsec profile DMVPN
 set transform-set DMVPN_SET 
!
!
crypto dynamic-map RemoteVPNS 30
 set transform-set DMVPN_SET 
 set isakmp-profile VPNclient
 reverse-route
!
crypto dynamic-map VPN 5
 set transform-set DMVPN_SET 
 set isakmp-profile VPNclient
 reverse-route
!
!
crypto map RemoteVPNS 10 ipsec-isakmp 
 set peer  
 set transform-set TraceyVPN 
 match address TraceyVPN
crypto map RemoteVPNS 20 ipsec-isakmp 
 set peer  
 set transform-set JuneVPN 
 match address JuneVPN
!
crypto map VPN 1 ipsec-isakmp dynamic VPN 
!
!
!
!
interface Loopback0
 ip address 192.168.250.1 255.255.255.0
 !
!
interface Tunnel1
 ip address 192.168.100.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication  
 ip nhrp map multicast dynamic
 ip nhrp network-id 100
 ip nhrp holdtime 450
 ip tcp adjust-mss 1360
 no ip split-horizon eigrp 100
 tunnel source Dialer1
 tunnel mode gre multipoint
 tunnel key 100
 tunnel protection ipsec profile DMVPN
 !
!
interface ATM0
 description PPP DIALER TO KAROO
 no ip address
 no atm ilmi-keepalive
 !
 pvc 1/50 
  dialer pool-member 1
  protocol ppp dialer
 !
!
interface FastEthernet0
 description Suite 1 WLAN
 duplex half
 speed 10
 !
!
interface FastEthernet1
 description Suite 2 WLAN
 switchport access vlan 2
 duplex half
 speed 10
 !
!
interface FastEthernet2
 description Suite 2 LAN
 switchport access vlan 101
 duplex half
 speed 10
 !
!
interface FastEthernet3
 description Suite 2 Firewall
 switchport access vlan 201
 duplex half
 speed 10
 !
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile DMVPN
 !
!
interface Vlan1
 no ip address
 ip helper-address 192.168.101.1
 ip nat inside
 ip virtual-reassembly
 shutdown
 !
!
interface Vlan2
 no ip address
 ip helper-address 192.168.101.1
 ip nat inside
 ip virtual-reassembly
 shutdown
 !
!
interface Vlan101
 ip address 192.168.101.254 255.255.255.0
 ip helper-address 192.168.101.1
 ip nat inside
 ip inspect UserTraffic out
 ip virtual-reassembly
 !
!
interface Vlan201
 ip address 192.168.201.254 255.255.255.0
 ip nat inside
 ip inspect UserTraffic out
 ip virtual-reassembly
 !
!
interface Dialer1
 ip address negotiated
 ip access-group INBOUND in
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1300
 load-interval 30
 dialer pool 1
 ppp chap hostname  
 ppp chap password 7 
 no cdp enable
 crypto map RemoteVPNS
 !
!
!
router eigrp 100
 network 192.168.11.0
 network 192.168.12.0
 network 192.168.100.0
 network 192.168.101.0
 redistribute static
!
ip local pool vpnclient 192.168.250.2 192.168.250.10
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat source static tcp 192.168.101.5 1433 interface Dialer1 1433
ip nat inside source static tcp 192.168.11.99 54321 interface Dialer1 54321
ip nat inside source static tcp 192.168.201.1 80 interface Dialer1 80
ip nat inside source static tcp 192.168.201.1 25 interface Dialer1 25
ip nat inside source static tcp 192.168.201.1 443 interface Dialer1 443
ip nat inside source list OUTBOUND interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended INBOUND
 deny   tcp any any eq 22
 deny   tcp any any eq telnet
 permit tcp any host 7x.xxx.xxx.xxx eq www
 permit tcp any host 7x.xxx.xxx.xxx eq smtp
 permit tcp any host 7x.xxx.xxx.xxx eq 443
 permit udp any host 7x.xxx.xxx.xxx eq isakmp
 permit esp any host 7x.xxx.xxx.xxx
 permit ahp any host 7x.xxx.xxx.xxx
 permit tcp any host 7x.xxx.xxx.xxx eq 54321
 permit udp any host 7x.xxx.xxx.xxx eq 54321
 permit ip any any log ACLINFO
ip access-list extended JuneVPN
 permit ip 192.168.101.0 0.0.0.255 172.30.3.0 0.0.0.255
ip access-list extended OUTBOUND
 deny   ip 192.168.101.0 0.0.0.255 172.30.2.0 0.0.0.255
 deny   ip 192.168.101.0 0.0.0.255 172.30.3.0 0.0.0.255
 permit tcp any any eq smtp
 permit tcp any any eq 443
 permit ip 192.168.101.0 0.0.0.255 any
 permit ip 192.168.201.0 0.0.0.255 any
 permit ip 192.168.250.0 0.0.0.255 any
 deny   ip any any
ip access-list extended TraceyVPN
 permit ip 192.168.101.0 0.0.0.255 172.30.2.0 0.0.0.255
!
no cdp run

!
!
!
!
radius-server host 192.168.101.10 auth-port 1812 acct-port 1813 key  
!
control-plane
 !
!
banner motd 
################################# WARNING!#################################
          
Access to this device is for authorized users only. Unauthorized access is
strictly prohibted! Unauothorized users will be prosecuted!

###########################################################################

!
line con 0
 privilege level 15
 logging synchronous
 login authentication NO_LOGIN
 no modem enable
line aux 0
 
line vty 0 4
 privilege level 15
 
 logging synchronous
 transport input ssh
!
scheduler max-task-time 5000
end

Open in new window

0
 
LVL 17

Accepted Solution

by:
Kvistofta earned 400 total points
ID: 34524550
Ah! This line should be put on outside interface (dialer1), not on the inside!

ip inspect UserTraffic out

Remove it from the vlan interfaces and put it on outside instead. Right now you inspect in the wrong direction...

/Kvistofta
0
 
LVL 1

Author Comment

by:awilderbeast
ID: 34524578
done that, so now if i put my deny any any back in we should have web access this time?

also do i need to worry about letting dns in/out?

do i need to

ip access-list extended INBOUND
91 permit udp any host 7x.xxx.xxx.xxx eq 53

thanks
0
 
LVL 17

Expert Comment

by:mikecr
ID: 34524816
I believe access lists take precedence over CBAC inspection so if you deny a tcp session such as HTTP, it won't get inspected. Why do you need a deny ip any statement? The default at the end of an access list is to deny everything, unless you do permit ip any. I see you have a permit tcp 443 but you don't have a permit http statement in your access list. You will want to add that and try again.
0
 
LVL 1

Author Comment

by:awilderbeast
ID: 34524879
i have a permit for http already, 4th line permit www

i add a deny any so i can see a counter for denied traffic, sort of a hint for any malcious traffic it is suddenly goes up a lot

so everything should be golden now then?
ill give it another try?


ip access-list extended INBOUND
 deny   tcp any any eq 22
 deny   tcp any any eq telnet
 permit tcp any host 7x.xxx.xxx.xxx eq www
 permit tcp any host 7x.xxx.xxx.xxx eq smtp
 permit tcp any host 7x.xxx.xxx.xxx eq 443
 permit udp any host 7x.xxx.xxx.xxx eq isakmp
 permit esp any host 7x.xxx.xxx.xxx
 permit ahp any host 7x.xxx.xxx.xxx
 permit tcp any host 7x.xxx.xxx.xxx eq 54321
 permit udp any host 7x.xxx.xxx.xxx eq 54321

Open in new window

0
 
LVL 17

Assisted Solution

by:Kvistofta
Kvistofta earned 400 total points
ID: 34525044
mikecr: No, it is not like that.

On your outside interface you have an inbound acl blocking traffic from internet. On the same interface you have an inspect on OUTBOUND traffic. What happens with outbound traffic is that the inbound return-traffic will be allowed even if the inbound acl normally blocks that traffic.

If you need a permit-statement inbound on outside there is no need for CBAC. ;)

awilderbeast: Your line 4 permits traffic with 80 as destination-port inbound. That is not the same as return-traffic for your outbound-traffic (cbac:ed) because that return-traffic will have port 80 as a source-port which is quite the opposite.

If you wanted to allow return-traffic for outbound web-traffic without using cbac you have to do something like this:
permit tcp any eq 80 any
which is not the same as:
permit tcp any any eq 80

Anyway, you do not wanna do that, for a number of reasons. Cbac is good.

/Kvistofta

/Kvistofta
0
 
LVL 1

Author Comment

by:awilderbeast
ID: 34525423
thanks

i just gave it another test, this time web was ok, i added this

110 deny ip any any log INBOUNDACL

then i viewed the log and saw these

just seeing what each of them are
do i need to allow dns through the cbac?
an any of the other ports that we might need to use?
*Jan 10 19:45:00.269: %SEC-6-IPACCESSLOGP: list INBOUND denied tcp 212.118.234.153(443) -> 7.xxx.xxx.xxx(20987), 1 packet  [INBOUNDACL]
*Jan 10 19:45:01.789: %SEC-6-IPACCESSLOGP: list INBOUND denied tcp 68.142.83.183(27017) -> 7.xxx.xxx.xxx(33589), 1 packet  [INBOUNDACL]
*Jan 10 19:45:03.401: %SEC-6-IPACCESSLOGP: list INBOUND denied udp 213.249.130.100(53) -> 7.xxx.xxx.xxx(54442), 1 packet  [INBOUNDACL]
*Jan 10 19:45:07.650: %SEC-6-IPACCESSLOGP: list INBOUND denied udp 213.249.130.100(53) -> 7.xxx.xxx.xxx(53848), 1 packet  [INBOUNDACL]
*Jan 10 19:45:10.331: %SEC-6-IPACCESSLOGP: list INBOUND denied tcp 69.28.151.27(27031) -> 7.xxx.xxx.xxx(41924), 1 packet  [INBOUNDACL]
*Jan 10 19:45:11.495: %SEC-6-IPACCESSLOGP: list INBOUND denied udp 65.55.37.62(53) -> 7.xxx.xxx.xxx(54244), 1 packet  [INBOUNDACL]
*Jan 10 19:45:14.028: %SEC-6-IPACCESSLOGP: list INBOUND denied tcp 68.142.83.179(27031) -> 7.xxx.xxx.xxx(41936), 1 packet  [INBOUNDACL]
*Jan 10 19:45:15.256: %SEC-6-IPACCESSLOGP: list INBOUND denied udp 65.55.226.140(53) -> 7.xxx.xxx.xxx(54244), 1 packet  [INBOUNDACL]
*Jan 10 19:45:17.044: %SEC-6-IPACCESSLOGP: list INBOUND denied tcp 93.186.25.33(3101) -> 7.xxx.xxx.xxx(64135), 1 packet  [INBOUNDACL]
*Jan 10 19:45:18.057: %SEC-6-IPACCESSLOGP: list INBOUND denied tcp 69.28.153.106(27031) -> 7.xxx.xxx.xxx(41939), 1 packet  [INBOUNDACL]
*Jan 10 19:45:19.353: %SEC-6-IPACCESSLOGP: list INBOUND denied udp 213.249.130.100(53) -> 7.xxx.xxx.xxx(54307), 1 packet  [INBOUNDACL]
*Jan 10 19:45:21.197: %SEC-6-IPACCESSLOGP: list INBOUND denied udp 213.249.130.100(53) -> 7.xxx.xxx.xxx(54472), 1 packet  [INBOUNDACL]
*Jan 10 19:45:22.270: %SEC-6-IPACCESSLOGP: list INBOUND denied udp 213.249.130.100(53) -> 7.xxx.xxx.xxx(54920), 1 packet  [INBOUNDACL]
*Jan 10 19:45:23.530: %SEC-6-IPACCESSLOGP: list INBOUND denied tcp 65.55.122.232(2492) -> 7.xxx.xxx.xxx(2492), 1 packet  [INBOUNDACL]
*Jan 10 19:45:24.718: %SEC-6-IPACCESSLOGP: list INBOUND denied udp 69.25.20.102(53) -> 7.xxx.xxx.xxx(54242), 1 packet  [INBOUNDACL]
*Jan 10 19:45:25.826: %SEC-6-IPACCESSLOGP: list INBOUND denied udp 204.15.82.137(53) -> 7.xxx.xxx.xxx(55025), 1 packet  [INBOUNDACL]
*Jan 10 19:45:27.055: %SEC-6-IPACCESSLOGP: list INBOUND denied udp 213.249.130.100(53) -> 7.xxx.xxx.xxx(53423), 1 packet  [INBOUNDACL]
*Jan 10 19:45:28.487: %SEC-6-IPACCESSLOGP: list INBOUND denied tcp 125.39.50.221(27031) -> 7.xxx.xxx.xxx(41944), 1 packet  [INBOUNDACL]
*Jan 10 19:45:29.507: %SEC-6-IPACCESSLOGP: list INBOUND denied udp 87.106.246.125(53) -> 7.xxx.xxx.xxx(53727), 1 packet  [INBOUNDACL]
*Jan 10 19:45:30.700: %SEC-6-IPACCESSLOGP: list INBOUND denied tcp 211.44.250.16(27031) -> 7.xxx.xxx.xxx(41945), 1 packet  [INBOUNDACL]
*Jan 10 19:45:31.764: %SEC-6-IPACCESSLOGP: list INBOUND denied udp 213.249.130.100(53) -> 7.xxx.xxx.xxx(53473), 1 packet  [INBOUNDACL]
*Jan 10 19:45:32.816: %SEC-6-IPACCESSLOGP: list INBOUND denied tcp 212.187.192.14(27031) -> 7.xxx.xxx.xxx(41931), 1 packet  [INBOUNDACL]
*Jan 10 19:45:34.100: %SEC-6-IPACCESSLOGP: list INBOUND denied udp 213.249.130.100(53) -> 7.xxx.xxx.xxx(52814), 1 packet  [INBOUNDACL]

Open in new window

0
 
LVL 17

Expert Comment

by:mikecr
ID: 34526893
Kvistofta, umm (LOL) I knew that but I didn't word it correctly. His CBAC was configured for inbound and not outbound for WWW. As you stated, with ip inspect running, it allows the session outbound and all return traffic no matter what the access list is, however, he was using it inbound which would have fell under the access list deny.
0
 
LVL 17

Assisted Solution

by:Kvistofta
Kvistofta earned 400 total points
ID: 34527180
You can make cbac for tcp and udp generally only (remove http) and filter with an inbound acl on your inside interface(s) what you wanna allow out on internet. But yes, you can cbac specific for dns also if that is what you want.

And yes, those log entries indicates that the return traffic for your outbound dns queries area blocked.

/Kvistofta
0
 
LVL 1

Author Comment

by:awilderbeast
ID: 34532672
you mean use an inbound acl to list the ips of the websites i do want?
cos i want all web traffic to be allowed

so far only adjustments ive made are

CWCH(config)#ip inspect name UserTraffic dns

oh wait i think i know what you mean

i just typed CWCH(config)#ip inspect name UserTraffic tcp ?
CWCH(config)#ip inspect name UserTraffic tcp ?
  alert           Turn on/off alert
  audit-trail     Turn on/off audit trail
  router-traffic  Enable inspection of sessions to/from the router
  timeout         Specify the inactivity timeout time
  <cr>

meaning i cant specify a port no, i can only use cbac for the predefined list already available? that right
so to allow any other traffic through what do i do?

Thanks
0
 
LVL 1

Author Comment

by:awilderbeast
ID: 34620583
^^ ?
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 34620962
I dont really understand what you mean. if you inspect tcp you will cbac all outbound tcp-traffic so that the return-traffic is automatically let in.

/Kvistofta
0
 
LVL 1

Author Comment

by:awilderbeast
ID: 34621078
oh right, so any tcp or udp traffic iniated inside will be allowed to return, anything random coming in will be denied yes?
0
 
LVL 17

Assisted Solution

by:mikecr
mikecr earned 100 total points
ID: 34621156
Yes, it inspects the traffic going outbound and creates a monitored session for each data flow. If the return traffic is within the session, it is allowed, otherwise it is denied.
0
 
LVL 1

Author Comment

by:awilderbeast
ID: 34621167
ok ive allowed


ip inspect name UserTraffic http
ip inspect name UserTraffic https
ip inspect name UserTraffic dns
ip inspect name UserTraffic tcp
ip inspect name UserTraffic udp


then


Extended IP access list INBOUND
    10 deny tcp any any eq 22 (8 matches)
    20 deny tcp any any eq telnet (8 matches)
    30 permit tcp any host 77.86.7.193 eq www (43432 matches)
    40 permit tcp any host 77.86.7.193 eq 443 (1538 matches)
    50 permit tcp any host 77.86.7.193 eq smtp (18323 matches)
    60 permit udp any host 77.86.7.193 eq isakmp (1150 matches)
    70 permit esp any host 77.86.7.193 (417424 matches)
    80 permit ahp any host 77.86.7.193
    90 permit tcp any host 77.86.7.193 eq 54321 (1745 matches)
    100 permit udp any host 77.86.7.193 eq 54321 (883009 matches)
    109 deny ip any any log (113 matches) (tag = ACLDENY)
    110 permit ip any any log (284267 matches) (tag = ACLINFO)

then show log

this incoming udp and pings, these are the sorts of traffic that we want to stop before it gets to the firewall
this is supspicious or should i google each incoming port and see what it is?
*Jan 16 21:38:31.560: %SEC-6-IPACCESSLOGP: list INBOUND denied tcp 86.159.161.107(9203) -> 7x.xxx.xxx.xxx(57635), 1 packet  [ACLDENY]
*Jan 16 21:38:33.181: %SEC-6-IPACCESSLOGP: list INBOUND denied udp 89.28.81.51(22397) -> 7x.xxx.xxx.xxx(39218), 1 packet  [ACLDENY]
*Jan 16 21:38:36.786: %SEC-6-IPACCESSLOGP: list INBOUND denied tcp 2.120.164.254(36269) -> 7x.xxx.xxx.xxx(56801), 1 packet  [ACLDENY]
*Jan 16 21:38:37.886: %SEC-6-IPACCESSLOGP: list INBOUND denied udp 95.105.141.19(25551) -> 7x.xxx.xxx.xxx(39218), 1 packet  [ACLDENY]
*Jan 16 21:38:48.660: %SEC-6-IPACCESSLOGP: list INBOUND denied udp 119.236.46.1(9699) -> 7x.xxx.xxx.xxx(39218), 1 packet  [ACLDENY]
*Jan 16 21:38:50.641: %SEC-6-IPACCESSLOGP: list INBOUND denied udp 195.241.120.226(35191) -> 7x.xxx.xxx.xxx(39218), 1 packet  [ACLDENY]
*Jan 16 21:38:53.329: %SEC-6-IPACCESSLOGP: list INBOUND denied udp 83.204.119.13(18135) -> 7x.xxx.xxx.xxx(39218), 1 packet  [ACLDENY]
*Jan 16 21:38:54.402: %SEC-6-IPACCESSLOGDP: list INBOUND denied icmp 95.146.216.201 -> 7x.xxx.xxx.xxx (3/1), 1 packet  [ACLDENY]
*Jan 16 21:38:55.942: %SEC-6-IPACCESSLOGP: list INBOUND denied tcp 212.188.163.37(5222) -> 7x.xxx.xxx.xxx(51493), 1 packet  [ACLDENY]
*Jan 16 21:38:57.914: %SEC-6-IPACCESSLOGP: list INBOUND denied udp 178.92.241.220(14348) -> 7x.xxx.xxx.xxx(39218), 1 packet  [ACLDENY]
*Jan 16 21:38:59.039: %SEC-6-IPACCESSLOGP: list INBOUND denied udp 178.36.222.14(26508) -> 7x.xxx.xxx.xxx(39218), 1 packet  [ACLDENY]
*Jan 16 21:39:04.396: %SEC-6-IPACCESSLOGP: list INBOUND denied udp 92.252.163.167(55659) -> 7x.xxx.xxx.xxx(39218), 1 packet  [ACLDENY]
*Jan 16 21:39:09.521: %SEC-6-IPACCESSLOGP: list INBOUND denied tcp 82.10.238.31(22258) -> 7x.xxx.xxx.xxx(57835), 1 packet  [ACLDENY]
*Jan 16 21:39:14.530: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 6 packets
*Jan 16 21:39:15.674: %SEC-6-IPACCESSLOGP: list INBOUND denied udp 81.0.105.166(17486) -> 7x.xxx.xxx.xxx(39218), 1 packet  [ACLDENY]
*Jan 16 21:39:17.447: %SEC-6-IPACCESSLOGP: list INBOUND denied udp 98.64.25.166(60632) -> 7x.xxx.xxx.xxx(39218), 1 packet  [ACLDENY]
*Jan 16 21:39:22.360: %SEC-6-IPACCESSLOGP: list INBOUND denied tcp 193.109.81.33(3101) -> 7x.xxx.xxx.xxx(62715), 1 packet  [ACLDENY]
*Jan 16 21:39:27.225: %SEC-6-IPACCESSLOGDP: list INBOUND denied icmp 77.86.7.254 -> 7x.xxx.xxx.xxx (3/13), 1 packet  [ACLDENY]
*Jan 16 21:39:29.205: %SEC-6-IPACCESSLOGP: list INBOUND denied udp 90.212.217.124(17686) -> 7x.xxx.xxx.xxx(39218), 1 packet  [ACLDENY]
*Jan 16 21:39:36.627: %SEC-6-IPACCESSLOGP: list INBOUND denied udp 188.18.245.57(38977) -> 7x.xxx.xxx.xxx(39218), 1 packet  [ACLDENY]
*Jan 16 21:39:41.144: %SEC-6-IPACCESSLOGP: list INBOUND denied udp 98.117.76.130(50152) -> 7x.xxx.xxx.xxx(39218), 1 packet  [ACLDENY]
*Jan 16 21:39:42.352: %SEC-6-IPACCESSLOGP: list INBOUND denied udp 84.113.58.219(26384) -> 7x.xxx.xxx.xxx(39218), 1 packet  [ACLDENY]
*Jan 16 21:39:49.226: %SEC-6-IPACCESSLOGP: list INBOUND denied udp 59.171.163.123(24249) -> 7x.xxx.xxx.xxx(39218), 1 packet  [ACLDENY]
*Jan 16 21:39:54.507: %SEC-6-IPACCESSLOGP: list INBOUND denied udp 80.58.243.76(23875) -> 7x.xxx.xxx.xxx(39218), 1 packet  [ACLDENY]
*Jan 16 21:39:57.924: %SEC-6-IPACCESSLOGP: list INBOUND denied udp 99.96.7.220(35711) -> 7x.xxx.xxx.xxx(39218), 1 packet  [ACLDENY]

Open in new window

0
 
LVL 17

Assisted Solution

by:Kvistofta
Kvistofta earned 400 total points
ID: 34621169
Exactly.
0
 
LVL 1

Author Closing Comment

by:awilderbeast
ID: 34621189
Thanks for clearing this up for me :)
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Let’s list some of the technologies that enable smooth teleworking. 
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now