Hello, I am creating a typical router-on-a-stick configuration where remote sites running Cisco IOS direct outbound Internet traffic through an IPSec tunnel that terminates on a ASA5510. I am 99% there and am able to route between the spokes and to/from the Internet. I am looking for guidance on how to properly configure the inbound ACL on the spoke router WAN interfaces.
My question is, do I need to specifically allow return traffic from the Internet in the spoke router ACL? I was under the impression that allowing the IPSec traffic from the hub ASA would include the Internet traffic that has hairpined through the ASA and I would not need a specific ACL entry permitting Internet source addresses.
The spoke router I am working on now is a 3620 running IOS 12.3.26. When I configure the inbound ACL on the WAN Interface to only allow esp/isakmp from the hub ASA, I am not able to recieve traffic from the Internet. If I remove the inbound ACL everything works fine. Here is the current inbound ACL from the Lab network router:
access-list 130 remark Permitted Inbound connections from WAN
access-list 130 remark IPSec
access-list 130 remark LAN subnets
access-list 130 permit ip 192.168.75.0 0.0.0.255 192.168.168.0 0.0.0.255
access-list 130 permit ip 192.168.50.0 0.0.0.255 192.168.168.0 0.0.0.255
access-list 130 permit ip 10.199.199.0 0.0.0.255 192.168.168.0 0.0.0.255
access-list 130 remark HUB ASA
access-list 130 permit udp host 172.16.1.4 host 172.16.1.21 eq non500-isakmp
access-list 130 permit udp host 172.16.1.4 host 172.16.1.21 eq isakmp
access-list 130 permit esp host 172.16.1.4 host 172.16.1.21
access-list 130 permit ahp host 172.16.1.4 host 172.16.1.21
access-list 130 remark NTP to router
access-list 130 permit udp host 220.127.116.11 eq ntp host 172.16.1.21 eq ntp
access-list 130 remark Permitted ICMP Traffic
access-list 130 permit icmp any host 172.16.1.21 echo
access-list 130 permit icmp any any echo-reply
access-list 130 permit icmp any any source-quench
access-list 130 permit icmp any any packet-too-big
access-list 130 permit icmp any any time-exceeded
access-list 130 deny icmp any any
access-list 130 remark Permitted Managment Traffic
access-list 130 remark allow SSH
access-list 130 permit tcp any any eq 22
With the access list above applied inbound on my WAN Interface, inside hosts are able to ping Internet addresses (permiting any ICMP echo-reply) but can't browse the Internet.
Do I need to enable a firewall policy on the router to permit return Internet traffic? I thought the ESP permit rule would cover that.
Any and all help is appreaciated!
Unless you are running the IOS firewall feature set on your spoke routers then the router cannot keep state of outbound connections. So yes you will need to also allow the unencrypted traffic in your acl on the WAN interface inbound because once the traffic is decrypted it is then checked against the acl on the interface, see this link for order of operations -
On the ASA/Pix firewalls you can tell the device to not check against the acl on the outside interface once traffic has been decrypted with the "sysopt connection " command but i'm not aware of a similiar option for IOS.