Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Router ACL permitting hairpin Internet traffic

Hello, I am creating a typical router-on-a-stick configuration where remote sites running Cisco IOS direct outbound Internet traffic through an IPSec tunnel that terminates on a ASA5510. I am 99% there and am able to route between the spokes and to/from the Internet. I am looking for guidance on how to properly configure the inbound ACL on the spoke router WAN interfaces.

My question is, do I need to specifically allow return traffic from the Internet in the spoke router ACL? I was under the impression that allowing the IPSec traffic from the hub ASA would include the Internet traffic that has hairpined through the ASA and I would not need a specific ACL entry permitting Internet source addresses.

The spoke router I am working on now is a 3620 running IOS 12.3.26. When I configure the inbound ACL on the WAN Interface to only allow esp/isakmp from the hub ASA, I am not able to recieve traffic from the Internet. If I remove the inbound ACL everything works fine. Here is the current inbound ACL from the Lab network router:

access-list 130 remark Permitted Inbound connections from WAN

access-list 130 remark IPSec

access-list 130 remark LAN subnets

access-list 130 permit ip 192.168.75.0 0.0.0.255 192.168.168.0 0.0.0.255

access-list 130 permit ip 192.168.50.0 0.0.0.255 192.168.168.0 0.0.0.255

access-list 130 permit ip 10.199.199.0 0.0.0.255 192.168.168.0 0.0.0.255

access-list 130 remark HUB ASA

access-list 130 permit udp host 172.16.1.4 host 172.16.1.21 eq non500-isakmp

access-list 130 permit udp host 172.16.1.4 host 172.16.1.21 eq isakmp

access-list 130 permit esp host 172.16.1.4 host 172.16.1.21

access-list 130 permit ahp host 172.16.1.4 host 172.16.1.21

access-list 130 remark NTP to router

access-list 130 permit udp host 192.43.244.18 eq ntp host 172.16.1.21 eq ntp

access-list 130 remark Permitted ICMP Traffic

access-list 130 permit icmp any host 172.16.1.21 echo

access-list 130 permit icmp any any echo-reply

access-list 130 permit icmp any any source-quench

access-list 130 permit icmp any any packet-too-big

access-list 130 permit icmp any any time-exceeded

access-list 130 deny icmp any any

access-list 130 remark Permitted Managment Traffic

access-list 130 remark allow SSH

access-list 130 permit tcp any any eq 22

With the access list above applied inbound on my WAN Interface, inside hosts are able to ping Internet addresses (permiting any ICMP echo-reply) but can't browse the Internet.

Do I need to enable a firewall policy on the router to permit return Internet traffic? I thought the ESP permit rule would cover that.

Any and all help is appreaciated!

Dan

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Router ACL permitting hairpin Internet traffic

Dan

Unless you are running the IOS firewall feature set on your spoke routers then the router cannot keep state of outbound connections. So yes you will need to also allow the unencrypted traffic in your acl on the WAN interface inbound because once the traffic is decrypted it is then checked against the acl on the interface, see this link for order of operations -

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

On the ASA/Pix firewalls you can tell the device to not check against the acl on the outside interface once traffic has been decrypted with the "sysopt connection " command but i'm not aware of a similiar option for IOS.

Jon

1 REPLY
Hall of Fame Super Blue

Re: Router ACL permitting hairpin Internet traffic

Dan

Unless you are running the IOS firewall feature set on your spoke routers then the router cannot keep state of outbound connections. So yes you will need to also allow the unencrypted traffic in your acl on the WAN interface inbound because once the traffic is decrypted it is then checked against the acl on the interface, see this link for order of operations -

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

On the ASA/Pix firewalls you can tell the device to not check against the acl on the outside interface once traffic has been decrypted with the "sysopt connection " command but i'm not aware of a similiar option for IOS.

Jon

646
Views
0
Helpful
1
Replies
CreatePlease to create content