877 NAT & ACL

Answered Question
Jan 12th, 2010

Hi

I am having a problem with internet access from internal LAN's when applying an inbound ACL to the dialer interface of my 877 DSL router.

I have 2 LAN interfaces and 1 DMZ like this:

LAN1: 192.168.0.0/24

LAN2: 10.100.1.0/24

DMZ: 172.16.1.0/24

I have the following nat rules applied:

ip nat inside source list ACL_NAT_Outbound interface Dialer0 overload
ip nat inside source static tcp 172.16.1.3 22 84.45.182.178 22 extendable
ip nat inside source static tcp 172.16.1.3 25 84.45.182.178 25 extendable
ip nat inside source static tcp 172.16.1.3 80 84.45.182.178 80 extendable
ip nat inside source static tcp 172.16.1.3 443 84.45.182.178 443 extendable
ip nat inside source static tcp 172.16.1.3 993 84.45.182.178 993 extendable
ip nat inside source static tcp 172.16.1.3 22 84.45.182.179 22 extendable

These seem to work fine and I can acces the host at 172.16.1.3 from the internet, but if I apply the following ACL to dialer 0 with 'ip access-group 109 in' I cannot get any access to the internet from the LAN or DMZ networks.

access-list 109 remark Filter inbound DMZ traffic
access-list 109 permit tcp any host 84.45.182.178 eq smtp
access-list 109 permit tcp any host 84.45.182.178 eq ftp
access-list 109 permit tcp any host 84.45.182.178 eq 22
access-list 109 permit tcp any host 84.45.182.178 eq 993
access-list 109 permit tcp any host 84.45.182.178 eq www
access-list 109 permit tcp any host 84.45.182.178 eq 443
access-list 109 permit tcp any host 84.45.182.179 eq 22

Can anyone see why and explain what I need to do to resolve the problem?

Many thanks

Mark.

I have this problem too.
0 votes
Correct Answer by Paolo Bevilacqua about 6 years 10 months ago

ACLs have an implicit "deny ip any any" at end.

Consequently, either do not use access-group on dialer, as in fact is unneccessary, or laboriously build an ACL permitting all what is to be permitted.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
mark.farmer Tue, 01/12/2010 - 04:41

Hi p.bevilacqua

"do not use access-group on dialer, as in fact is unneccessary"

I was beginning to think along this line but was not sure.

Thankyou very much for the reply, I will follow your advice.

Regards

Mark.

Paolo Bevilacqua Tue, 01/12/2010 - 05:17

Indeed unnecessary, as you are 100% protected by NAT.

Thank you for the nice rating, and good luck!

Jon Marshall Tue, 01/12/2010 - 05:47

mark.farmer wrote:

Hi p.bevilacqua

"do not use access-group on dialer, as in fact is unneccessary"

I was beginning to think along this line but was not sure.

Thankyou very much for the reply, I will follow your advice.

Regards

Mark.

Mark

It's very rare for me to disagree with Paolo but i do here. There is no such thing as being 100% protected by NAT.

For example in your acl you have ssh access. Do you really want to allow any host on the internet to try and connect via ssh.

Ditto FTP. What if someone were to hack into FTP and then download and store illegal files etc. on your server. You are liable for that. Or if they downloaded a DDOS tool and it was then used as part of an attack, again you are liable.

I agree that any might be relevant for http and SMTP but not for all apps. And if you do need to allow any to all apps are you monitoring the server ?

And how laborious the acl is depends on what you want to allow out from the inside ie. if it is just http for example it really isn't that laborious. I have very rarely come across a design where someone connects to the internet without any acl at all so in effect you are permitting everything into your router. Yes you have NAT but NAT is not designed to be a security feature although admittedly it is a nice side effect.

Jon

mark.farmer Tue, 01/12/2010 - 11:41

Hi Jon

I agree with you entirely and ideally I would much prefer to use ACL's than not, but I was beginning to think along the same lines as Paolo and his post provided me with some confidence in the current config.

I do need ssh reachable from any ip and I do take good security measures server side. ftp is normally turned off anyway and I also use server side security here for when it's on and I also use a good open source monitoring system.

As a Cisco new boy it's taking me time to understand how the ACL's behave and how they should be correctly applied, especially as I am running a DMZ.

The only real issue for me at present is getting unrestricted access to the internet from the LAN ip's once the ACL is applied to dialer 0 - although restricting internet access from the DMZ would also be great.

Any help in acheiving this would be highly appreciated.

Best regards

Mark.

Jon Marshall Tue, 01/12/2010 - 12:04

mark.farmer wrote:

Hi Jon

I agree with you entirely and ideally I would much prefer to use ACL's than not, but I was beginning to think along the same lines as Paolo and his post provided me with some confidence in the current config.

I do need ssh reachable from any ip and I do take good security measures server side. ftp is normally turned off anyway and I also use server side security here for when it's on and I also use a good open source monitoring system.

As a Cisco new boy it's taking me time to understand how the ACL's behave and how they should be correctly applied, especially as I am running a DMZ.

The only real issue for me at present is getting unrestricted access to the internet from the LAN ip's once the ACL is applied to dialer 0 - although restricting internet access from the DMZ would also be great.

Any help in acheiving this would be highly appreciated.

Best regards

Mark.

Mark

When you say unrestricted access from inside fo you mean allow access to any IP on any port or are there specific ports you want to allow ?

Standard and extended IP ACLs on routers check each individual packet against the acl entries in isolation. By that i mean packets are not seen as part of a TCP connection for example, they are just single individual packets. The lines in the acl are checked in order and at the end as Paolo said there is an implicit "deny ip any any".

Applied inbound means it acts on  traffic arriving at the interface you have applied the acl to. Applied outbound means it acts on traffic as it leaves the interface you have applied it on.

There is a keyword you can use for TCP connections only "established" which means if the packet coming back if part of an "established" connection it will be allowed. This is the closest you can get to some sort of state (as in stateful firewalls) with these type of ACLs.

There are also reflexive acls which are a step up again as they can be applied to TCP/UDP/ICMP.  Here the router will build a dynamic rule to allow the traffic back in if you have allowed the traffic out in the first place per connection. This means you can actually deny all traffic from the internet or at least only the specific ports you want to allow but if you allow internal clients to make outbound connections the router will temporarily add a rule into the acl to allow that traffic back in.

Finally you have stateful firewalls either CBAC which is the IOS FW version that can be run on a router or a dedicated firewall appliance such an ASA.

Jon

Correct Answer
Paolo Bevilacqua Tue, 01/12/2010 - 04:33

ACLs have an implicit "deny ip any any" at end.

Consequently, either do not use access-group on dialer, as in fact is unneccessary, or laboriously build an ACL permitting all what is to be permitted.

Actions

This Discussion