We recently activated IP Inspect in every router who connect to the main office via VPN. And we're starting to have problem with IP Inspect blocking telnet, ftp and traffic who is not supposed to be block. When we desactivate IP Inspect everything is fine. Or another problem we have, the traffic ( telnet of ftp ) is working for a short time and after the telnet or ftp connection is droped by ip inspect.
Anyone have a solution to my problem. I want to keep every router ( who are directly connected to Internet but also connected to the main office via VPN ).
We use Cisco 871 router with IOS 12.4(4)T4.
If someone could help me with my problem I'll really appreciate
If you have implemented CBAC, make sure you have explicit access-list allowing traffic to flow from outside to inside, this should include the traffic which will be initiating from outside to inside...
Have you played with the timout values?
if you have changed the idle timeout of a tcp session, you will have to bring it back to the default...
ip inspect tcp idel-time 3600
Could you please post your ip inspect (CBAC) configration... I will check the for you...
Hi, Thanks for your reply.
Yeah we set the "tcp idle-time" to 7200 it was 3600 before.
For the ip inspect we have in every vpn router here what we have:
ip inspect tcp idle-time 7200
ip inspect name xxFW http
ip inspect name xxFW https
ip inspect name xxFW tcp
ip inspect name xxFW udp
On the wan interface of the router:
ip inspect xxFW in
ip inspect xxFW out
I do not think you have to enable inspection on the inbound direction on the wan interface. i.e. remove the ip inspect xxFW in on the wan interface.
If you want normal inspection, then you only need to inpect tcp and udp, no need for http or https unless you want to inspect deep into there protocols, e.g. you want to filter JAVA (this is your case), or want to enable URL filtering...etc, so I think you can remove ip inspect name xxFW http and ip inspect name xxFW https. If you want to allow traffic to come from outside to inside, then you need to open explicit access-lists for them...
Let me know if you need further support...
Please rate this post if it was useful.
Thanks again for your reply.
You think if I remove "ip inspect xxFW in" on the wan interface it could fix my problem with my telnet session being droped by ip inspect?
yes, ip inspect xxFW in on the WAN interface means you are firewalling the outside world from your internal network and opening a return traffic for the traffic initiating from outside... you do not want to do this, right? BIG security hole!
In fact....I need help to make the best firewall configuration I could make for every vpn router we have ( who are directly connectected to internet and also with a VPN connection to the main office ) for the setup we use in our network.
Access-list + IP inspect.
So feel free to advise me! :)
In your case, everyting we talked about is fine... but need to allow esp, udp 500 and 4500 to reach the wan interface of each router... you do this by creating access-lists from each router to router wan interfaces... and for ease of management you can deal with subnets instead of single IP's... depends on how many routers do you have and whether or not you use full mesh topology (In which case I would advise to use DMVPN less prossing and memory utilization)...
Finally do not forget to apply the acl to the wan interface...
Ok ok I see. We have like 450-500 VPN router in our network. We already have these basic access-list in every router:
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 1 permit x.x.x.x x.x.x.255 = ( our public IP address )
access-list 1 deny any
You said in a previous reply to open all traffic from outside to inside, like this: access-list 1 permit 10.0.0.0 0.255.255.255 ?
I'm still kind of new with access-list and IP inspect.
Thanks for your help and time!
In the Cisco World, when we talk about Access-lists, they do not mean permit and block access... they mean control traffic to abide to a certain rule, this rule may be access, translation, VPN, QoS, route-map ...etc, therefore I'm not sure where are you applying the three access-lists above, because they are standard acls.
The second issue, I'm sorry if misworded it, but I mean you configure explicit access-list applied on the outside interface allowing relevant traffic (not all traffic, otherwise your CBAC config is meaningless). Relevant traffic typically include the VPN traffic, routing traffic if you are using Dynamic routing protocols like RIP or Eigrp...etc...
In your case if you want to establish ISec tunnels from all routers (500) to all routers, I would highly recommend you go with DMVPN solution, you will love it if you get it to work! It is probably a good idea to check with a network service provider in your region... Where are you staying BTW?
Ok ok I understand!
The access-list I guess they are really general we don't have access-list applied yet. That's why I'm working on this.
Yeah we are using Eigrp, but every router are using dsl connection from supplier around the country ( Canada ).
And every routeur don't need connect to every router in the network. Each router connect to the main office ( to a concentrator vpn ). A few of them need to talk to other router.
And I'm from Canada, Quebec.
So if I'm understanding right, I need to add access-list rules, but general rules ( VPN traffic, routing traffic ), and let ip inspect do the last verification?
What I suggest in this case is one of two options (I'm assuming your DSL is using a static IP not a DHCP IP),
You can configure site to site VPN connection on each router terminating on main router.
But the better option is to configure the so called EZVPN on the HO router, which make it really easy to configure on the other 499 routers, less administration headache and less memory and CPU utilization on the routers...
everything else regarding CBAC and ACL's remains the same...
For the DSL/pppoe we have static and dhcp IP.
We already use ezvpn to establish vpn connection to the main site. The VPN setup is working great, it's only the part of ACL + IP inspect / firewall that I'm working on and it's kind of new to me.
If you have other advise, feel free to post and I'll try to make a configuration for the acl + ip inspect part with the good advises you told me.
Ok cool, In this case nothing other than what I said earlier... You will have the IP inspect rules as mentioned before and explicit ACL's as follows:
Access-list 101 permit esp host VPN_SERVER_IP host SELF_WAN_INTERFACE
Access-list 101 permit udp host VPN_SERVER_IP host SELF_WAN_INTERFACE eq 500
Access-list 101 permit udp host VPN_SERVER_IP host SELF_WAN_INTERFACE eq 4500
ip access-group 101 in
you will have to do the same on the EZVPN server if you have the control on it and if you are implementing CBAC on it!
And I guess I need to add "ip access-group 101 in" on the int dialer1 ( for the PPPoE client ) ?
I finally started to test my firewall setup in 3 production routers. Everything seems to be working fine on 2 PPPoE clients but with the DHCP client he couldn't do a renew of his IP address and when I remove "ip access-group 101 in" ( after a shut/no shut of the interface ) the renew was working.
Is there a access-list rules I need to accept dhcp request from their ISP?
I found the problem.
I need those 2 access-list rules for the DHCP request:
access-list 101 permit udp any any eq bootps
access-list 101 permit udp any any eq bootpc
Theres no point to do inspection over an IPSEC tunnel. Thats what IPSEC is for!
Maybe I'm wrong and feel free to correct me. But the ip inspect is not only for the traffic in the VPN. The client are also using internet directly from their provider ( they're not using the VPN for http ) and they are directly connected to internet so a source of attack.
You are right, you use IP inspect for the normal traffic and you create the access-lists to exempt the IPSec traffic from being blocked...
Remember your IP inspect command is inspecting TCP and UDP (not esp which is meaningless and maybe even not there!)
And by the way, everything is working great since I configured 5 routers to use my access-list/ip inspect config.
I want to thank you again for your really good help!
Another question about a problem we have on a few router.
Sometimes the internet stop working for the computer who are connected in the router ( who is connected VPN to the main office ), it's like the router is refusing the connexion to internet.
Here the log we have when we do a debug ip ( on the private ip the computer his using ) :
EDT: IP: tableid=0, s=10.1.1.1 (Vlan1), d=PROXY (Dialer1), routed via FIB
EDT: IP: s=10.1.1.1 (Vlan1), d=PROXY (Dialer1), g=GATEWAYPUBLICIP, len 48, forward
TCP src=1121, dst=80, seq=2099553562, ack=0, win=65535 SYN
IP: tableid=0, s=10.1.1.1 (local), d=PROXY (Dialer1), routed via FIB
IP: s=10.1.1.1 (local), d=PRPXY (Dialer1), len 40, sending
TCP src=1121, dst=80, seq=2099553563, ack=0, win=0 RST
I don't understand why the router is doing a "RST" on the connexion. He's not suppose to block the connexion, anyone have an idea why we have that kind of problem on like 5% of our router.
Make sure you are enabling split tunneling using the route-map command and access-lists... if you post your full config of one of the routers which do not work I will try and help you!