Re: 857 Reflexive Access List problem

Thomas Cotton · ‎11-28-2010

Hi All,

I'm a newbie so go easy

I've bought a 857 off ebay to use as my home router as a sort of live lab for my CCNA. I would like to apply a reflexive access list to apply the first layer of security.

I have knocked up the below:

Current configuration : 4973 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cotton_R1
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 $1$lFyW$pOl51KSwIrQ36ZVnkRbZ41
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization network default local
!
aaa session-id common
!
resource policy
!
no ip source-route
ip dhcp relay information trust-all
no ip dhcp use vrf connected
ip dhcp excluded-address 172.30.0.1 172.30.0.2
ip dhcp excluded-address 172.30.1.1 172.30.1.5
!
ip dhcp pool LAN
   import all
   network 172.30.0.0 255.255.0.0
   default-router 172.30.0.1
   dns-server 172.30.0.1
   lease 7
!
!
ip cef
no ip bootp server
ip domain name *****

ip name-server 87.194.255.154
ip reflexive-list timeout 60
!
!
!
!
username ***** privilege 15 secret 5 ******************
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
no atm ilmi-keepalive
dsl operating-mode auto
dsl enable-training-log
!
interface ATM0.1 point-to-point
description O2 Broadband ADSL2+ interface
ip address dhcp
ip access-group FIREWALL_IN in
ip access-group FIREWALL_OUT out
ip nat outside
ip virtual-reassembly
logging event subif-link-status
no snmp trap link-status
atm route-bridged ip
pvc 0/101
oam-pvc manage
encapsulation aal5snap
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
no ip address
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 172.30.0.1 255.255.0.0
ip nat inside
ip virtual-reassembly
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ATM0
!
no ip http server
no ip http secure-server
ip nat pool NAT_POOL 172.30.0.1 172.30.0.254 netmask 255.255.0.0
ip nat inside source list 1 interface ATM0.1 overload
ip dns server
!
ip access-list extended FIREWALL_IN
evaluate iptraffic
permit tcp any any established
permit ip any any
ip access-list extended FIREWALL_OUT
permit ip any any reflect iptraffic
!
access-list 1 permit 172.30.0.0 0.0.255.255
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner motd ^C
*********************************************************
Unauthorized Access Prohibited
Authorized Access Only
This system is the property of *******

Disconnect IMMEDIATELY if you are not an authorized user!
*********************************************************
^C
!
line con 0
privilege level 15
logging synchronous
no modem enable
line aux 0
line vty 0 4
session-timeout 60
access-class 1 in
privilege level 15
logging synchronous
transport input ssh
!
scheduler max-task-time 5000
end

But when I do a show ip access lists I get the below:

Standard IP access list 1
    10 permit 172.30.0.0, wildcard bits 0.0.255.255 (1832 matches)
Extended IP access list FIREWALL_IN
    10 evaluate iptraffic
    20 permit tcp any any established (60 matches)
    30 permit ip any any (270 matches)

Any ideas why it's missing out the evaluate iptraffic statement? If I take statement 10 & 20 I get no connectivity .

I do get entries in the reflexive list:

Reflexive IP access list iptraffic
     permit icmp host 4.2.2.2 host 188.220.192.27 (11 matches) (time left 59)
     permit tcp host 95.101.82.64 eq 443 host 188.220.192.27 eq 51055 (1673 matches) (time left 45)
     permit tcp host 173.194.37.189 eq 443 host 188.220.192.27 eq 51036 (717 matches) (time left 34)
     permit tcp host 173.194.36.83 eq 443 host 188.220.192.27 eq 51031 (1025 matches) (time left 16)
     permit tcp host 213.122.82.153 eq 13500 host 188.220.192.27 eq 55866 (301 matches) (time left 228)
     permit tcp host 212.118.234.133 eq www host 188.220.192.27 eq 49841 (747 matches) (time left 280)

Peter Paluch · ‎11-28-2010

Hi Thomas,

What do you mean by saying that it's "missing out the evaluate iptraffic statement"? I definitely see it in the output you have copied here. If you are asking why there are no hits recorded with the "evaluate iptraffic" statement then I'd say that it is not conclusive - you see the entries being created and matched in the reflexive ACL itself.

Perhaps you could clarify your idea in different words.

Best regards,

Peter

Mohamed Sobair · ‎11-28-2010

Hi Thomas,

I have two points:

1- You should see hits on the reflexive access-list itself not the evaluate iptraffic statement (and you have it on the output).

2- Why do you have (permit ip any any) statement on Access-list FIRWALL-IN ? By having this statement, traffic which not evaluated by the reflexive access-list wont be evaluated and it will bypass it, hence, you have a security concern.

The whole point of having relexive ACL is to evaluate your inbound traffic which originated from your Network and DROP any thing else UNLESS otherwise specified in the exception. for testing purpose you can have it, but in a production environment, I suggest you remove this line.

HTH

Mohamed

Thomas Cotton · ‎11-28-2010

Apologies I didn't explain myself very well. The reason I have the allow any ip statement is because without it I cannot browse the internet. I can ping routers, but can't browse standard sites i.e. google.

Correct me if I'm wrong but I thought Access Lists read from the top down, so I cant understand why it's getting to that allow any statement. Any help would be greatly appreiciated!

Could it be something to do with NAT?

Thanks

Mohamed Sobair · ‎11-28-2010

Hi,

You are correct, however, from your describtion that means your reflexive ACL is not working, and you have hits on the ACL and you can ping. I am Confused.

Could you just remove the last statment and leave the evaluate only, re-apply your ACL again.

There is nothing wrong with your configuration and it has nothing to do with nat since you can ping some sites as you mentioned. Try it and let us know the results.

HTH

Mohamed

Thomas Cotton · ‎11-28-2010

I've amended the access list to read:

Extended IP access list FIREWALL_IN
10 evaluate iptraffic
Extended IP access list FIREWALL_OUT
10 permit ip any any reflect iptraffic

and I was able to ping 4.2.2.2, and browse and search on google.co.uk. But wasn't able to browse ebay.co.uk or skyports.com:

Reflexive IP access list iptraffic
     permit tcp host 213.122.82.153 eq 13500 host 188.220.192.27 eq 38424 (5 matches) (time left 50)
     permit tcp host 209.85.227.101 eq www host 188.220.192.27 eq 49206 (37 matches) (time left 49)
     permit tcp host 173.194.36.104 eq www host 188.220.192.27 eq 49205 (171 matches) (time left 50)
     permit tcp host 173.194.36.104 eq www host 188.220.192.27 eq 49204 (239 matches) (time left 50)
     permit tcp host 212.118.234.129 eq 443 host 188.220.192.27 eq 49171 (117 matches) (time left 58)

Could it be some dns related issue?

Cheers

Mohamed Sobair · ‎11-28-2010

Hi,

Those sites are accessible , so its not a problem of a webservers and its not a problem of DNS either since you were able to google some sites.

It might be those sites are blocking connection from your source IPs, please try to access the sites from different Source IPs, if its still not accessible to you, confirm with your ISP that your Public source IP is not blocked for those sites.

HTH

Mohamed

Thomas Cotton · ‎11-28-2010

As soon as I remove that inbound ACL from the ATM0.1 sub-interface I can browse all sites correctly.

Does anyknow know what could be causing some sites not to be logged in the reflexive access list? I ran an IP packet debug and captured this:

.Nov 28 20:13:23.887: IP: s=173.194.37.104 (ATM0.1), d=188.220.***.***, len 40, access denied

.Nov 28 20:13:22.319: IP: s=87.194.255.154 (ATM0.1), d=188.220.***.***, len 193, access denied

Thomas Cotton · ‎12-04-2010

Managed to get it working with the below config:

Extended IP access list FIREWALL_IN
    10 permit tcp any any eq smtp
    15 permit tcp any any eq www
    20 permit udp any any eq ntp
    25 permit tcp any any eq 443
    30 permit udp any any eq bootps
    35 permit udp any any eq bootpc
    40 permit tcp any any eq domain
    45 permit udp any any eq domain (99 matches)
    100 evaluate iptraffic
Extended IP access list FIREWALL_OUT
    10 permit ip any any reflect iptraffic (1102231 matches)

Maybe the 857 was unable to handle the amount of entries it needed to write for port 80?? Am I leaving myself open with the above config?

Thomas Cotton · ‎12-04-2010

Cracked it:

Extended IP access list FIREWALL_IN
    10 permit udp any any eq domain (3 matches)
    20 evaluate iptraffic
Extended IP access list FIREWALL_OUT
    10 permit ip any any reflect iptraffic (3269287 matches)

The DNS requests were coming in on a UDP port which was being blocked by my original config. That's why pings to IP addresses worked, and I could browse sites that I'd just been on (i.e existed in the DNS table).

Cheers for all the help anyway