davorin
asked on
Applying ACL to external interface blocks access to internet
Hi,
I have a problem on cisco C892. At the moment I apply a ACL-IN ACL on external Dialer0 int, I lose the connectivity from LAN to internet (ping, dns, http, everything), which is unwanted. While I still have RDP access from internet 2.2.2.0 network to internal server at 192.168.1.37.
From LAN to INET I want to block just SMTP except from mail server.
From external network 2.2.2.0/24 I want to allow access to everything.
From other internet addresses I want to allow only what is specified in ACL-IN access list.
1.1.1.1 is my fixed public IP address I get on Dialer0 interface with pppoe connection.
(I have been said that the costumer has another 4 public IP addresses which are routed by ISP over 1.1.1.1 address, but they are not in use - if relevant)
Any ideas would be more than welcome.
Here is a relevant part of router configuration:
ip cef
ip domain name domain.local
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip inspect log drop-pkt
ip inspect name WALL tcp
ip inspect name WALL udp
ip inspect name WALL tftp
ip inspect name WALL ftp
ip inspect name WALL realaudio
ip inspect name WALL icmp
ip inspect name WALL rtsp
ip inspect name WALL http
ip inspect name WALL https
ip inspect name WALL ssh
ip inspect name WALL sip
ip inspect name WALL h323
no ipv6 cef
!
interface FastEthernet8
description ***INTERNET PPPoE***
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface Vlan1
description === LAN ===
ip address 192.168.1.5 255.255.255.0
ip access-group BLOCK_SPAM in
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
load-interval 30
!
interface Dialer0
description ***INTERNET PPPoE***
ip address negotiated
ip access-group ACL-IN in
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname pppoeusername
ppp chap password 7 xxxxxx
no cdp enable
crypto map cmap
!
!
ip nat inside source list NAT interface Dialer0 overload
ip nat inside source static tcp 192.168.1.19 110 interface Dialer0 110
ip nat inside source static tcp 192.168.1.24 80 interface Dialer0 80
ip nat inside source static tcp 192.168.1.19 25 interface Dialer0 25
ip nat inside source static tcp 192.168.1.19 443 interface Dialer0 443
ip nat inside source static tcp 192.168.1.18 1750 1.1.1.1 1750 extendable
ip nat inside source static tcp 192.168.1.37 3389 1.1.1.1 3337 extendable
ip nat inside source static tcp 192.168.1.110 8000 1.1.1.1 8000 extendable
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended ACL-IN
permit ip 2.2.2.0 0.0.0.255 any
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit tcp any host 1.1.1.1 eq smtp
permit tcp any host 1.1.1.1 eq pop3
permit tcp any host 1.1.1.1 eq 443
permit tcp any host 1.1.1.1 eq www
permit tcp any host 1.1.1.1 eq 1750
permit tcp any host 1.1.1.1 eq 8000
ip access-list extended BLOCK_SPAM
permit tcp host 192.168.1.19 any eq smtp
deny tcp any any eq smtp
permit ip any any
ip access-list extended NAT
deny ip 192.168.1.0 0.0.0.255 192.168.255.0 0.0.0.127
permit ip 192.168.1.0 0.0.0.255 any
deny ip any any log
!
dialer-list 1 protocol ip permit
no cdp run
I have a problem on cisco C892. At the moment I apply a ACL-IN ACL on external Dialer0 int, I lose the connectivity from LAN to internet (ping, dns, http, everything), which is unwanted. While I still have RDP access from internet 2.2.2.0 network to internal server at 192.168.1.37.
From LAN to INET I want to block just SMTP except from mail server.
From external network 2.2.2.0/24 I want to allow access to everything.
From other internet addresses I want to allow only what is specified in ACL-IN access list.
1.1.1.1 is my fixed public IP address I get on Dialer0 interface with pppoe connection.
(I have been said that the costumer has another 4 public IP addresses which are routed by ISP over 1.1.1.1 address, but they are not in use - if relevant)
Any ideas would be more than welcome.
Here is a relevant part of router configuration:
ip cef
ip domain name domain.local
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip inspect log drop-pkt
ip inspect name WALL tcp
ip inspect name WALL udp
ip inspect name WALL tftp
ip inspect name WALL ftp
ip inspect name WALL realaudio
ip inspect name WALL icmp
ip inspect name WALL rtsp
ip inspect name WALL http
ip inspect name WALL https
ip inspect name WALL ssh
ip inspect name WALL sip
ip inspect name WALL h323
no ipv6 cef
!
interface FastEthernet8
description ***INTERNET PPPoE***
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface Vlan1
description === LAN ===
ip address 192.168.1.5 255.255.255.0
ip access-group BLOCK_SPAM in
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
load-interval 30
!
interface Dialer0
description ***INTERNET PPPoE***
ip address negotiated
ip access-group ACL-IN in
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname pppoeusername
ppp chap password 7 xxxxxx
no cdp enable
crypto map cmap
!
!
ip nat inside source list NAT interface Dialer0 overload
ip nat inside source static tcp 192.168.1.19 110 interface Dialer0 110
ip nat inside source static tcp 192.168.1.24 80 interface Dialer0 80
ip nat inside source static tcp 192.168.1.19 25 interface Dialer0 25
ip nat inside source static tcp 192.168.1.19 443 interface Dialer0 443
ip nat inside source static tcp 192.168.1.18 1750 1.1.1.1 1750 extendable
ip nat inside source static tcp 192.168.1.37 3389 1.1.1.1 3337 extendable
ip nat inside source static tcp 192.168.1.110 8000 1.1.1.1 8000 extendable
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended ACL-IN
permit ip 2.2.2.0 0.0.0.255 any
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit tcp any host 1.1.1.1 eq smtp
permit tcp any host 1.1.1.1 eq pop3
permit tcp any host 1.1.1.1 eq 443
permit tcp any host 1.1.1.1 eq www
permit tcp any host 1.1.1.1 eq 1750
permit tcp any host 1.1.1.1 eq 8000
ip access-list extended BLOCK_SPAM
permit tcp host 192.168.1.19 any eq smtp
deny tcp any any eq smtp
permit ip any any
ip access-list extended NAT
deny ip 192.168.1.0 0.0.0.255 192.168.255.0 0.0.0.127
permit ip 192.168.1.0 0.0.0.255 any
deny ip any any log
!
dialer-list 1 protocol ip permit
no cdp run
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you Predrag!
For now I have decided to use "permit ip any any" at the end. And to permit access to potentially insecure nat-ed ports just from known IP addresses. Thank you also for info about ZBF. I will go thru the posted links. For sure it will be useful in future.
Hvala!
Best regards,
Davorin
For now I have decided to use "permit ip any any" at the end. And to permit access to potentially insecure nat-ed ports just from known IP addresses. Thank you also for info about ZBF. I will go thru the posted links. For sure it will be useful in future.
Hvala!
Best regards,
Davorin
You're welcome.
Nema na čemu.
Nema na čemu.
ASKER
I was always using logic - block everything except what is permitted. Using "permit ip any any" at the end, changes this to allow everything except what is blocked. Your suggestion might work, but specifying tons of ports needed for almost unlimited internet access could be problematic.
Is there a possibility to permit just estabilished/related connections established from LAN? Something like "permit ip any any established"?
If there will be "permit ip any any" at the end, there is no need of permit lines, except when I want to block from everywhere except from certain IPs.
permit tcp host 3.3.3.3 host 1.1.1.1 eq 1750
deny tcp any host 1.1.1.1 eq 1750
permit ip any any
Is there any difference in security if I block or not a certain port if is not used NAT rules?
If there is no ACL applied to interface is it allowed all traffic like having just "permit ip any any"?
You said "NAT is configured so...". You wanted to suggest something about it?
Thank you for your help.