I hope someone can assist me with this problem, I would greatly appreciate it! First, let me apologize ahead of time if the solution
to this is obvious. Our network was configured by a third-party that is no longer in business so this job has fallen to me and I'm
still in the process of learning my way around this equipment (fun-fun!).
What we have:
- 2 ISP connections - One T1 connection and one wireless microwave connection that terminates as an ethernet port in our server room.
- Each connection is connected to it's own Cisco 2811 router. The router with the microwave connection has had an additional
FastEther (single port) card inserted to receive the link from the microwave equipment.
- Both ISPs are providing us with static IP's.
- We have two ASA 5520's providing firewall services, they are configured as failover's with single-context. IP's on the outside
interfaces of the ASA's are using public IP addresses - no NAT is being done on the routers.
- The T1 router has an IP addressed assigned to the serial interface and the two built-in FA ports have no ip address and are
part of a bridge-group. The bridge group is assigned an IP address from our public range and each of these two ports is
connected to one of the ASA's for redundancy.
- The Microwave router has NO IP address assigned on the outside interface (an FA single-port add on card) and it and the
two built-in ports are all part of a bridge-group. The bridge-group is assigned a public IP address from ISP 2's range. The
built-in ports are each connected to one of the ASA's as well.
- There are four outside interfaces on the ASA, 1 pair is for the T1 and they have been assigned 2 IP addresses (primary & standby)
from the T1's IP block. The other two are each connected to the Microwave router and similarly assigned IP addresses from that
- In order to allow the routers on the outside to log and also time-sync with the servers on the inside, public addresses have been
utilized (and mapped on the ASA to inside servers).
Now everything is working perfectly, routers can access the internal NTP/SYSLOG servers and outside hosts can access servers
in the DMZ, inside hosts can access machines on the outside and DMZ and failover and all that jazz is working. The one thing
that is not working is an access list on the Microwave router.
What I want to do is setup an access-list on the router that does the following:
1) Block addresses in/out at the external interface that use private addresses.
2) Block packets coming from the Internet with a source ip address belonging to us.
3) Prevent packets coming from the Internet to the public IP addresses we are using for the
internal NTP and SYSLOG servers.
Now I have been able to accomplish this with the T1 router, works perfectly. Same thing however does not work on the
Microwave router. When I try to open any sort of connection (say Telnet) to one of these two IP addresses using a
third ISP connection we have that is NOT connected in any way to this Cisco network I can see DENY statements
at the ASA. This tells me the access-list on the 2811 router is doing nothing.
The access-list on the ASA is setup to only allow traffic from the IP addresses assigned to each of the two router's
BVI's so most everything will be blocked at the ASA which is great. I am concerned about someone on the Internet
sending a packet with the source address forged to equal one of the BVI ip's. I have not tested it but am concerned
that those packets will get to my internal servers. No big deal on the NTP but I don't want someone writting to my
(1) Am I doing something wrong in defining an access list on this router. Do I need to upgrade to a newer IOS on the router
or is it simply not supported in a router configured this way. Note: we had to change ISP's and to get it to work we needed
to configure the router as a bridge (all three interfaces on the bridge) whereas the previous ISP was similar to the T1 and
access-lists worked there.
(2) Assuming you just can't make an access-list work this way, is there a danger of a packet received on the outside interface
with a forged address equal to the BVI address being forwarded to the ASA and then to the end SYSLOG/NTP servers?
If YES, any suggestions on how to prevent that?
Any help would be greatly appreciated! Thanks in advance!