Access list doing the same thing

Unanswered Question
Dec 10th, 2007
User Badges:

Hey guys, I have an access list which is applied to the outside interface. There are 2 lines, however that I think they might be doing the same thing and I want to know if I can get rid of one. They both get hits though when I do a "sh access-list 110"


access-list 110 permit udp any any eq isakmp


access-list 110 permit udp any eq isakmp any



thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Edison Ortiz Mon, 12/10/2007 - 17:15
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

They aren't doing the same thing and you haven't told us which direction the ACL was applied.


On the first ACL, you are allowing isakmp on the destination host(s) while on the second ACL, you are allowing isakmp on the source host(s).

insccisco Mon, 12/10/2007 - 17:23
User Badges:

sorry for that.


In int4, there is a line "ip access-group 110 in" so I assume, and I think this is right :), that the ACL is applied to all traffic coming from the outside (internet) towards the network (inside)... please correct me if Im wrong.


There isn't any ACLs applied to the inside interface, which I believe it means anything outbound from the inside is allowed.


my apologies for the fragil questions, I'm trying to get this right and be strong on the basics before moving forward

Edison Ortiz Mon, 12/10/2007 - 17:26
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

My previous explanation still stands. You are allowing bi-directional traffic for the isakmp port. Removing one ACL will affect this traffic, so leave as is.


insccisco Mon, 12/10/2007 - 17:42
User Badges:

I see. But wouldn't it be redundant as all outbound traffic is already allowed, thus safely remove the second line, and only keep and use the first line (access-list 110 permit udp any any eq isakmp)?


When you make and outbound connection, once that connection is established, doesn't the router allows anything inbound from the destination during the session? and because is ISAKMP, you do have to allow this protocol in the inbound direction, so line 1 wouldn't already be allowing for this?



Edison Ortiz Mon, 12/10/2007 - 19:20
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Usually only the destination would be listed in the allowed port but due to the nature of the IPSec traffic, both the source and destination use that port.


For instance, if you are running a web server, only the server needs to be allowed on port 80. The end-devices connecting to this web server will use high random ports (1024 and above) which is allowed by the ACL.


On this case, the application behaves differently as the end-devices and the vpn server utilizes the isakmp port, not high random ports.

Richard Burts Mon, 12/10/2007 - 20:12
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Angel


I am glad that you are trying to get strong on the basics. Here is an important basic concept: if both access list lines are getting hits then they are not redundant. If a packet gets to the second line and matches the second line (which produces a hit) then it did not match the first line, because access list processing stops when it gets to the first match.


So if you remove either of the lines you will be changing the behavior and some traffic that is getting through currently will start being denied.


I will admit that I am a bit surprised that both lines are getting hits. In my experience using ISAKMP both the source port and the destination port are the same (both sourece port and destination port are UDP ISAKMP). But if both lines of your access list are getting hits then obviously there is traffic in your network that is not working the way that I would expect.


HTH


Rick

insccisco Tue, 12/11/2007 - 00:03
User Badges:

I have to be honest but I was very close to removing one of the lines. But thanks to you guys I didn't.


I have few networks where we use Cisco all the way, and as time goes by, I want/need to understand each line of each running config I have.


The less lines, the better (for me :) ) One Cisco TAC guy told me that there are Cisco Best Practices and that's exactly where I will like to get.... just like MS Windows where, almost with my eyes closed, I remove tons of unneeded services/files/programs before deployment :)



Jon Marshall Tue, 12/11/2007 - 00:10
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


One thing you might consider is adding the "log" keyword to the end of these 2 lines and that will show you the source and destination IP addresses and port numbers.


As Rick says, this is strange because ISAKMP is usually udp port 500 to udp port 500.


Obvioulsy if you are going to log these entries please ensure your router has enough spare resources to do this.


Jon

insccisco Tue, 12/11/2007 - 00:22
User Badges:

oh, I like that. I will add the log keyword.


But what do you mean by enough resources? I have an 871 which is handling an office of 30+ users.


Can you please show me how to get this "logging" going?




Jon Marshall Tue, 12/11/2007 - 00:33
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


You should be okay as long as your router is not running "hot" at the moment.


At it's most basic just to turn on logging


router(config)# logging on

router(config)# logging trap informational

router(config)# logging buffered


This will log to the buffer on your 871. Because it is informational you will get more than just the access-list lines being logged and the buffer is circular in that it will keep getting overwritten, which is why people often set up a syslog server and send the logs to that.


You can get a free syslog server that you can run on one of your windows boxes from


www.kiwisyslog.com


If you do this you need one more line in your config


router(config)# logging host "ip address of syslog server"


As with debugging and logging you should keep an eye on the memory and CPU usage on your router.


Jon

insccisco Tue, 12/11/2007 - 09:20
User Badges:

what do you mean by "running 'hot' "? cpu usage high? sh proc high?


I am moving ahead with the logging. I do have a syslog server and I will make this 871 send its logs to it, although I want to deploy this syslog server at the other end of the tunnel. Meaning that I will create a LAN-to-LAN tunnel from this 871 to a remote office because that's where I have the syslog server. Will this be OK? will it be safe? or is it gonna put too much traffic on the line?

Jon Marshall Tue, 12/11/2007 - 10:17
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


I just mean that if your router is running over 50% in cpu usage you just need to be a little careful when you turn logging on.


Sending the traffic down the tunnel will put more overhead on the router because of the encryption overhead.


It's a suck it and see thing really.


Jon

insccisco Tue, 12/11/2007 - 10:22
User Badges:

I see. Well, this is my plan, this 871 uses 2 ISPs, and ISP2 is only for backup purposes, so the connection is always on idle. So I am planning to use it for the tunnel so I can keep it busy :) and not put overhead to the main line which is always busy anyways with all the traffic that the inside network puts in it


what do you think?



insccisco Mon, 12/10/2007 - 23:55
User Badges:

interesting. very interesting


Edison, do you know of a good link that touches this ACL topic in very deep details?


Also, any good readings about ACLs (books, articles, etc.) and about ISKMP?


Once again, I need to get stronger on these basics


thank you for the answers

Edison Ortiz Tue, 12/11/2007 - 07:47
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

For light reading, I usually hit the IOS configuration sections


http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/index.htm


For your query, I would suggest reading the security section from the link above.


I heard good things about this book as well:

http://www.amazon.com/Cisco-Access-Lists-Jeff-Sedayao/dp/1565923855/ref=sr_1_1?ie=UTF8&s=books&qid=1197388001&sr=1-1


insccisco Tue, 12/11/2007 - 09:16
User Badges:

thank you very much. They look good for reading. The book also sounds good enough that I will buy it, although it has lots of errors according to amazon reviewers, but overall seems like a good beginner's book


thank you again Edison

insccisco Tue, 12/11/2007 - 10:17
User Badges:

I take your word Edison. Making the purchase right now.


If you know of any other good ones, let me know



angel

Actions

This Discussion