Router ACL permitting hairpin Internet traffic

Answered Question
May 9th, 2009
User Badges:

Hello, I am creating a typical router-on-a-stick configuration where remote sites running Cisco IOS direct outbound Internet traffic through an IPSec tunnel that terminates on a ASA5510. I am 99% there and am able to route between the spokes and to/from the Internet. I am looking for guidance on how to properly configure the inbound ACL on the spoke router WAN interfaces.


My question is, do I need to specifically allow return traffic from the Internet in the spoke router ACL? I was under the impression that allowing the IPSec traffic from the hub ASA would include the Internet traffic that has hairpined through the ASA and I would not need a specific ACL entry permitting Internet source addresses.


The spoke router I am working on now is a 3620 running IOS 12.3.26. When I configure the inbound ACL on the WAN Interface to only allow esp/isakmp from the hub ASA, I am not able to recieve traffic from the Internet. If I remove the inbound ACL everything works fine. Here is the current inbound ACL from the Lab network router:

access-list 130 remark Permitted Inbound connections from WAN

access-list 130 remark IPSec

access-list 130 remark LAN subnets

access-list 130 permit ip 192.168.75.0 0.0.0.255 192.168.168.0 0.0.0.255

access-list 130 permit ip 192.168.50.0 0.0.0.255 192.168.168.0 0.0.0.255

access-list 130 permit ip 10.199.199.0 0.0.0.255 192.168.168.0 0.0.0.255

access-list 130 remark HUB ASA

access-list 130 permit udp host 172.16.1.4 host 172.16.1.21 eq non500-isakmp

access-list 130 permit udp host 172.16.1.4 host 172.16.1.21 eq isakmp

access-list 130 permit esp host 172.16.1.4 host 172.16.1.21

access-list 130 permit ahp host 172.16.1.4 host 172.16.1.21

access-list 130 remark NTP to router

access-list 130 permit udp host 192.43.244.18 eq ntp host 172.16.1.21 eq ntp

access-list 130 remark Permitted ICMP Traffic

access-list 130 permit icmp any host 172.16.1.21 echo

access-list 130 permit icmp any any echo-reply

access-list 130 permit icmp any any source-quench

access-list 130 permit icmp any any packet-too-big

access-list 130 permit icmp any any time-exceeded

access-list 130 deny icmp any any

access-list 130 remark Permitted Managment Traffic

access-list 130 remark allow SSH

access-list 130 permit tcp any any eq 22


With the access list above applied inbound on my WAN Interface, inside hosts are able to ping Internet addresses (permiting any ICMP echo-reply) but can't browse the Internet.


Do I need to enable a firewall policy on the router to permit return Internet traffic? I thought the ESP permit rule would cover that.


Any and all help is appreaciated!

Dan


Correct Answer by Jon Marshall about 8 years 2 months ago

Dan


Unless you are running the IOS firewall feature set on your spoke routers then the router cannot keep state of outbound connections. So yes you will need to also allow the unencrypted traffic in your acl on the WAN interface inbound because once the traffic is decrypted it is then checked against the acl on the interface, see this link for order of operations -


http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml


On the ASA/Pix firewalls you can tell the device to not check against the acl on the outside interface once traffic has been decrypted with the "sysopt connection " command but i'm not aware of a similiar option for IOS.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Sat, 05/09/2009 - 13:05
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Dan


Unless you are running the IOS firewall feature set on your spoke routers then the router cannot keep state of outbound connections. So yes you will need to also allow the unencrypted traffic in your acl on the WAN interface inbound because once the traffic is decrypted it is then checked against the acl on the interface, see this link for order of operations -


http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml


On the ASA/Pix firewalls you can tell the device to not check against the acl on the outside interface once traffic has been decrypted with the "sysopt connection " command but i'm not aware of a similiar option for IOS.


Jon

Actions

This Discussion