We help IT Professionals succeed at work.

Applying ACL to external interface blocks access to internet

davorin
davorin asked
on
Hi,

I have a problem on cisco C892. At the moment I apply a ACL-IN ACL on external Dialer0 int, I lose the connectivity from LAN to internet (ping, dns, http, everything), which is unwanted. While I still have RDP access from internet 2.2.2.0 network to internal server at 192.168.1.37.
From LAN to INET I want to block just SMTP except from mail server.
From external network 2.2.2.0/24 I want to allow access to everything.
From other internet addresses I want to allow only what is specified in ACL-IN access list.
1.1.1.1 is my fixed public IP address I get on Dialer0 interface with pppoe connection.
(I have been said that the costumer has another 4 public IP addresses which are routed by ISP over 1.1.1.1 address, but they are not in use - if relevant)
Any ideas would be more than welcome.

Here is a relevant part of router configuration:

ip cef
ip domain name domain.local
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip inspect log drop-pkt
ip inspect name WALL tcp
ip inspect name WALL udp
ip inspect name WALL tftp
ip inspect name WALL ftp
ip inspect name WALL realaudio
ip inspect name WALL icmp
ip inspect name WALL rtsp
ip inspect name WALL http
ip inspect name WALL https
ip inspect name WALL ssh
ip inspect name WALL sip
ip inspect name WALL h323
no ipv6 cef
!
interface FastEthernet8
 description ***INTERNET PPPoE***
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly
 load-interval 30
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
 no cdp enable
!
interface Vlan1
 description === LAN ===
 ip address 192.168.1.5 255.255.255.0
 ip access-group BLOCK_SPAM in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting output-packets
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 load-interval 30
!
interface Dialer0
 description ***INTERNET PPPoE***
 ip address negotiated
 ip access-group ACL-IN in
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname pppoeusername
 ppp chap password 7 xxxxxx
 no cdp enable
 crypto map cmap
!
!
ip nat inside source list NAT interface Dialer0 overload
ip nat inside source static tcp 192.168.1.19 110 interface Dialer0 110
ip nat inside source static tcp 192.168.1.24 80 interface Dialer0 80
ip nat inside source static tcp 192.168.1.19 25 interface Dialer0 25
ip nat inside source static tcp 192.168.1.19 443 interface Dialer0 443
ip nat inside source static tcp 192.168.1.18 1750 1.1.1.1 1750 extendable
ip nat inside source static tcp 192.168.1.37 3389 1.1.1.1 3337 extendable
ip nat inside source static tcp 192.168.1.110 8000 1.1.1.1 8000 extendable
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended ACL-IN
 permit ip 2.2.2.0 0.0.0.255 any
 permit esp any any
 permit udp any any eq isakmp
 permit udp any any eq non500-isakmp
 permit tcp any host 1.1.1.1 eq smtp
 permit tcp any host 1.1.1.1 eq pop3
 permit tcp any host 1.1.1.1 eq 443
 permit tcp any host 1.1.1.1 eq www
 permit tcp any host 1.1.1.1 eq 1750
 permit tcp any host 1.1.1.1 eq 8000
ip access-list extended BLOCK_SPAM
 permit tcp host 192.168.1.19 any eq smtp
 deny   tcp any any eq smtp
 permit ip any any
ip access-list extended NAT
 deny   ip 192.168.1.0 0.0.0.255 192.168.255.0 0.0.0.127
 permit ip 192.168.1.0 0.0.0.255 any
 deny   ip any any log
!
dialer-list 1 protocol ip permit
no cdp run
Comment
Watch Question

CERTIFIED EXPERT
Distinguished Expert 2018
Commented:
Your ACL is blocking everything except what is strictly permitted and ACL is checked before inspection/NAT or anything else, so traffic gets dropped. NAT is configured so ...
You may need more statements... e.g "permit ip any any" at the end...
ACL last statement is always "deny ip any any", but it is just not printed out. Whatever is not specifically permitted in ACL when it reaches end of ACL will be blocked. Even if last ACL statement is "permit ip any any" next statement active, but not printed is "deny ip any any".

ip access-list extended ACL-IN
 permit ip 2.2.2.0 0.0.0.255 any
 permit esp any any
 permit udp any any eq isakmp
 permit udp any any eq non500-isakmp
 permit tcp any host 1.1.1.1 eq smtp
 permit tcp any host 1.1.1.1 eq pop3
 permit tcp any host 1.1.1.1 eq 443
 permit tcp any host 1.1.1.1 eq www
 permit tcp any host 1.1.1.1 eq 1750
 permit tcp any host 1.1.1.1 eq 8000
deny <whater you want to be denied>
 permit ip any any


Maybe your solution is to permit traffic from port 443 pop3 ect.. in which case ACL is not correctly written(but even then I am not sure it should work.
ip access-list extended ACL-IN
 permit ip 2.2.2.0 0.0.0.255 any
 permit esp any any
 permit udp any any eq isakmp
 permit udp any any eq non500-isakmp
 permit tcp any eq smtp host 1.1.1.1
 permit tcp any eq pop3 host 1.1.1.1
 permit tcp any eq 443 host 1.1.1.1
 permit tcp any eq www host 1.1.1.1
 permit tcp any eq 1750 host 1.1.1.1
 permit tcp any eq 8000 host 1.1.1.1

Since the way ACL is written now -- traffic from any host / source port 443 is permitted if destination is host 1.1.1.1 - port 443 is internet server source port in this case, your ocal hosts will send traffic with source port 1025 and higher to access port 443 on remote server, but return traffic is source 443 destination is NAT port.
CERTIFIED EXPERT

Author

Commented:
I'm afraid you are right, but I'm refusing to believe there is no more elegant (secure) solution :)
I was always using logic - block everything except what is permitted. Using "permit ip any any" at the end, changes this to allow everything except what is blocked. Your suggestion might work, but specifying tons of ports needed for almost unlimited internet access could be problematic.

Is there a possibility to permit just estabilished/related connections established from LAN? Something like "permit ip any any established"?

If there will be "permit ip any any" at the end, there is no need of permit lines, except when I want to block from everywhere except from certain IPs.

permit tcp host 3.3.3.3 host 1.1.1.1 eq 1750
deny tcp any host 1.1.1.1 eq 1750
permit ip any any

Is there any difference in security if I block or not a certain port if is not used NAT rules?
If there is no ACL applied to interface is it allowed all traffic like having just "permit ip any any"?
You said "NAT is configured so...". You wanted to suggest something about it?

Thank you for your help.
CERTIFIED EXPERT
Distinguished Expert 2018
Commented:
Generally the best approach would be to use firewall and C892 is capable of zone based firewall (ZBF), but throughput is decreasing with every option being added. From my experience with NAT involved 60Mb is best that it can offer. Long ACls are also not option since device will not accept long ACLs.

With that being said - you can configure ZBF via Cisco Configuration Professional CCP GUI wizard.
Or manually -to better understand it:
Cisco Zone Based Firewall Step By Step: Part 1
Cisco Zone Based Firewall Step By Step: Part 2
CERTIFIED EXPERT

Author

Commented:
Thank you Predrag!

For now I have decided to use "permit ip any any" at the end. And to permit access to  potentially insecure nat-ed ports just from known IP addresses. Thank you also for info about ZBF. I will go thru the posted links. For sure it will be useful in future.

Hvala!
Best regards,
Davorin
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
You're welcome.
Nema na čemu.