My goal is to be able to edit firewall exceptions "on the fly" and without having to hack an ACL. I have created a service object-group that contains exceptions to the firewall, however when I apply this object-group to the firewall ACL, it opens up the ACL entirely!
What am I doing wrong with this configuration? Thanks very much for any insight you can provide!
Cisco 871 running c870-advsecurityk9-mz.124-22.T.bin. Here are the configs:
ip access-list extended FIREWALL permit object-group FIREWALL-EXCEPTIONS any any log permit udp any eq bootps any eq bootpc deny ip any any
object-group service FIREWALL-EXCEPTIONS
description <<< specific ports allowed through the firewall >>> tcp eq 443 tcp eq 25
tcp eq 80
interface FastEthernet4 ip dhcp client client-id FastEthernet4 ip address dhcp ip access-group FIREWALL in ip access-group WAN-EGRESS-FILTER out no ip redirects no ip unreachables no ip proxy-arp ip accounting output-packets ip accounting access-violations ip nat outside ip inspect INSPECT-FIREWALL out ip virtual-reassembly duplex auto speed auto no cdp enable arp timeout 600
You're right Jon. The ACL should actually read "permit tcp any any object-group FIREWALL-EXCEPTIONS" but the device won't take the command when it's structured like that! It's really throwing me off!
Maybe I've encountered a bug in the IOS?
Here's the output when I attempt to issue that ACL:
871-Firewall(config-ext-nacl)#5 permit tcp any any ? ack Match on the ACK bit eq Match only packets on a given port number established Match established connections fin Match on the FIN bit fragments Check non-initial fragments gt Match only packets with a greater port number log Log matches against this entry log-input Log matches against this entry, including input interface lt Match only packets with a lower port number match-all Match if all specified flags are present match-any Match if any specified flag is present neq Match only packets not on a given port number option Match packets with given IP Options value precedence Match packets with given precedence value psh Match on the PSH bit range Match only packets in the range of port numbers reflect Create reflexive access list entry rst Match on the RST bit syn Match on the SYN bit time-range Specify a time-range tos Match packets with given TOS value ttl Match packets with given TTL value urg Match on the URG bit
Extended IP access list FIREWALL 5 permit object-group FIREWALL-EXCEPTIONS any any log (62 matches) 500 deny ip any any (3457 matches)
Service object group FIREWALL-EXCEPTIONS tcp eq 61259 tcp eq 25222
The object-group shows up in the FIREWALL ACL, but I think the ios is reading the entry as "permit ip any any" and disregarding the object-group TCP information altogether.
The only external tool that I currently have access to is the "Shields Up" scanner at grc.com (not the most ideal test, but it works for my purposes!)
When I have the firewall ACL in place with NO object-group entry then the firewall blocks everything as it should (GRC returns "Stealth" for every port).
When I place the object-group entry into the ACL (as shown above) GRC returns that all scanned ports are "Closed" and it also sees the ASA 5505 that I have in testing behind the router is running Web VPN (port 443 shows "Open"). In addition to all that, the ACL that blocks input into the VTY lines reports that it has blocked an attempt from the GRC scanning IP.
This is driving me up the wall! The ACL syntax is correct. The only two explanations I can think of are 1) IOS bug or 2) The device was reporting "
%ALIGN-3-SPURIOUS: Spurious memory access made at..." errors earlier in the week.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :