Can't seem to get an access-list working on an external interface

Unanswered Question
Sep 13th, 2010

Hello Everyone!

I hope someone can assist me with this problem, I would greatly appreciate it!  First, let me apologize ahead of time if the solution

to this is obvious.  Our network was configured by a third-party that is no longer in business so this job has fallen to me and I'm

still in the process of learning my way around this equipment (fun-fun!).

What we have:

- 2 ISP connections - One T1 connection and one wireless microwave connection that terminates as an ethernet port in our server room.

- Each connection is connected to it's own Cisco 2811 router.  The router with the microwave connection has had an additional

FastEther (single port) card inserted to receive the link from the microwave equipment.

- Both ISPs are providing us with static IP's.

- We have two ASA 5520's providing firewall services, they are configured as failover's with single-context.  IP's on the outside

interfaces of the ASA's are using public IP addresses - no NAT is being done on the routers.

- The T1 router has an IP addressed assigned to the serial interface and the two built-in FA ports have no ip address and are

part of a bridge-group.  The bridge group is assigned an IP address from our public range and each of these two ports is

connected to one of the ASA's for redundancy.

- The Microwave router has NO IP address assigned on the outside interface (an FA single-port add on card) and it and the

two built-in ports are all part of a bridge-group.  The bridge-group is assigned a public IP address from ISP 2's range.  The

built-in ports are each connected to one of the ASA's as well.

- There are four outside interfaces on the ASA, 1 pair is for the T1 and they have been assigned 2 IP addresses (primary & standby)

from the T1's IP block.  The other two are each connected to the Microwave router and similarly assigned IP addresses from that

ISP's block.

- In order to allow the routers on the outside to log and also time-sync with the servers on the inside, public addresses have been

utilized (and mapped on the ASA to inside servers).

Now everything is working perfectly, routers can access the internal NTP/SYSLOG servers and outside hosts can access servers

in the DMZ, inside hosts can access machines on the outside and DMZ and failover and all that jazz is working.  The one thing

that is not working is an access list on the Microwave router.

What I want to do is setup an access-list on the router that does the following:

1)  Block addresses in/out at the external interface that use private addresses.

2)  Block packets coming from the Internet with a source ip address belonging to us.

3)  Prevent packets coming from the Internet to the public IP addresses we are using for the

internal NTP and SYSLOG servers.

Now I have been able to accomplish this with the T1 router, works perfectly.  Same thing however does not work on the

Microwave router.  When I try to open any sort of connection (say Telnet) to one of these two IP addresses using a

third ISP connection we have that is NOT connected in any way to this Cisco network I can see DENY statements

at the ASA.  This tells me the access-list on the 2811 router is doing nothing.

The access-list on the ASA is setup to only allow traffic from the IP addresses assigned to each of the two router's

BVI's so most everything will be blocked at the ASA which is great.  I am concerned about someone on the Internet

sending a packet with the source address forged to equal one of the BVI ip's.  I have not tested it but am concerned

that those packets will get to my internal servers.  No big deal on the NTP but I don't want someone writting to my

logging server. 

So questions:

(1)  Am I doing something wrong in defining an access list on this router.  Do I need to upgrade to a newer IOS on the router

or is it simply not supported in a router configured this way.  Note: we had to change ISP's and to get it to work we needed

to configure the router as a bridge (all three interfaces on the bridge) whereas the previous ISP was similar to the T1 and

access-lists worked there.

(2)  Assuming you just can't make an access-list work this way, is there a danger of a packet received on the outside interface

with a forged address equal to the BVI address being forwarded to the ASA and then to the end SYSLOG/NTP servers?

If YES, any suggestions on how to prevent that?

Any help would be greatly appreciated!  Thanks in advance!

Regards,

Terry

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gatlin007 Sat, 09/18/2010 - 11:08

Is the ACL on the microwave router applied to the BVI interface?  I believe in this case it will be an outbound ACL based on your topology; but if it doesnt work flip it back to an inbound ACL.

Perhaps something like this:

int bvi 10
ip access-group 101 out
exit



Chris

Actions

This Discussion