Reflexive ACL with IP inspect

slandeira · ‎08-24-2010

Hi,

I have a problem with the comunication between two sites, one of them has IP A.B.C.D and the other one has IP 21.11.23.12. I can not have a connection between the two IPs, I modified the ACLs and I've added in inbound ACL "permit ip host 21.11.23.12 any log" and in the outbound ACL "permit ip host 21.11.23.12 any log" but still have not connectivity, it can be due to ip inspect?

the configuration is:

ip inspect audit-trail
ip inspect max-incomplete low 100
ip inspect max-incomplete high 200
ip inspect one-minute low 100
ip inspect one-minute high 200
ip inspect tcp synwait-time 15
ip inspect tcp max-incomplete host 20 block-time 1
ip inspect name C_inspect icmp
ip inspect name C_inspect udp
ip inspect name C_inspect tcp
...
interface ATM0/0/0.1 point-to-point
ip address A.B.C.D 255.255.255.0
ip access-group INBOUND in
ip access-group OUTBOUND out
ip nbar protocol-discovery
ip nat outside
ip inspect C_inspect in
ip virtual-reassembly
no ip route-cache
no ip mroute-cache
crypto map VPN
pvc 8/32
encapsulation aal5snap
pppoe max-sessions 10
...
ip access-list extended INBOUND
permit ip host 21.11.23.12 any log
permit esp any any reflect VUELTAin
permit udp any any eq isakmp reflect VUELTAin
permit udp any any eq non500-isakmp reflect VUELTAin
permit tcp any eq ftp 19.16.0.0 0.0.255.255 reflect VUELTAin
permit tcp any eq ftp-data 19.16.0.0 0.0.255.255 reflect VUELTAin
permit tcp any eq ftp host A.B.C.D reflect VUELTAin
permit tcp any eq ftp-data host A.B.C.D reflect VUELTAin
permit ip host 194.10.18.254 any
permit ip 192.16.1.0 0.0.0.255 any
evaluate VUELTA
deny ip any any log

ip access-list extended OUTBOUND
permit ip any host 21.11.23.12 log
permit ip 19.16.200.0 0.0.0.255 19.16.1.0 0.0.0.255 reflect VUELTA
permit ip 19.16.100.0 0.0.0.255 19.16.1.0 0.0.0.255 reflect VUELTA
permit icmp 19.16.100.0 0.0.0.255 19.16.1.0 0.0.0.255 reflect VUELTA
permit tcp 19.16.0.0 0.0.255.255 any eq smtp reflect VUELTA
permit tcp 19.16.0.0 0.0.255.255 any eq www reflect VUELTA
permit tcp 19.16.0.0 0.0.255.255 any eq 443 reflect VUELTA
permit tcp 19.16.0.0 0.0.255.255 any eq pop3 reflect VUELTA
permit tcp 19.16.0.0 0.0.255.255 any eq ftp reflect VUELTA
permit tcp 19.16.0.0 0.0.255.255 any eq ftp-data reflect VUELTA
permit udp 19.16.0.0 0.0.255.255 any eq domain reflect VUELTA
permit udp any any eq domain reflect VUELTA
permit icmp any any reflect VUELTA
permit tcp any 19.16.5.0 0.0.0.255
deny   ip any 78.31.8.0 0.0.7.255
evaluate VUELTAin
deny   tcp 19.16.0.0 0.0.255.255 0.0.0.0 255.255.248.0
permit tcp host A.B.C.D any eq www reflect VUELTA
permit tcp host A.B.C.D any eq 443 reflect VUELTA
permit tcp host A.B.C.D any eq smtp reflect VUELTA
permit tcp host A.B.C.D any eq ftp reflect VUELTA
permit tcp host A.B.C.D any eq pop3 reflect VUELTA
permit tcp host A.B.C.D any eq 8443 reflect VUELTA
deny   ip any any

Peter Paluch · ‎08-24-2010

Hello,

I find it actually confusing to see both reflexive ACLs and IP Inspect combined. As the IP Inspect is effectively a superset of reflexive ACLs, I do not see any specific reason to combine them. Do you have any particular need to use both IP Inspect and reflexive ACLs?

Second, your IP Inspect is used in the inbound direction on your ATM/DSL interface. Is that by intent? Usually, on an outside interface, the IP Inspect is used in the outbound direction to track all connections initiated from inside, and to automatically permit replies to those connections to enter the router. However, you have the IP Inspect used in the opposite direction which, while possible, does not make much sense to me in your current deployment.

I originally wanted to directly suggest a change to your configuration but I do not understand your network well. Please try to include more info on the following topics:

The ATM/DSL interface is marked ip nat outside. Are all internal network privately addresses and do you NAT/PAT all internal networks?
Are there any servers in your internal networks that must be accessible from the outside (i.e. the INBOUND ACL must contain open ports for these servers and services)?
Do you limit your internal networks to a selected set of services outside, or should the internal networks be able to access all services in the outside?

Simplifying your redundant ACL configuration is of the essence here - I believe that your current ACLs, especially when combined with the IP Inspect, are unnecessarily convoluted.

Best regards,

Peter

slandeira · ‎09-01-2010

Hi,

thanks for your suggestions.

I have erased the configuration of "ip inspect" (I no longer applied in the ATM interface), and also i can't get to establish communication between the two IPs, however, I can see matches in the ACL inbound and outbound..

After deleting all the entries of ip inspect configuration:
no ip inspect tcp-time synwait 15
no ip inspect tcp max-incomplete host 20 block-time 1

I can see packets in both directions:

% SEC-6-IPACCESSLOGP: list OUTBOUND permitted tcp 81.43.98.19 (2089) -> 217 119 234 124 (32 845), 16 packets
% SEC-6-IPACCESSLOGP: list INBOUND2 permitted tcp 217 119 234 124 (32 845) -> 81.43.98.19 (2089), 13 packets

Which may be the cause why it not finish the connection? (the connection seems to be established only for a a few seconds...)

thanks!