Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

problems with external ACL rules

Hi, I know this question is probably very common but I am still having issues with understanding ACL's

I've  read so much documentation but its not helping me understand or apply the knowledge to my situation.

 

basically I have configured a new CISCO 891 router with a number of VPN's connected and a couple of inbound rules to allow rdp and sql traffic to 2 servers on my LAN. to do this I have created ACL 130 and matched it to the inbound  direction of the WAN interface. the confusion is that I would really like the last default rule to be a "deny any any" rule for security. but no matter what I do, even if I create a specific permit rule for web traffic and DNS if I change the last rule to "deny any to any" all my internet connectivity stops working apart from my traffic over the VPN I cannot browse or resolve or ping anything on the internet.

 

here is my config if anyone can advise me how to ensure my Cisco891 firewall is secure I would be grateful. (PS I've given up trying to use the ZBF as this created even more issues and now only using CLI)

Building configuration...

Current configuration : 9409 bytes
!
! Last configuration change at 20:53:43 PCTime Mon Apr 28 2014 by admin
version 15.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname LBHCIS891DATA1
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 51200 errors
logging console critical
enable secret 4 MHpke6/RnYLNL/fAD5EKDxml.aj8Sr4IJfubMQjIoB2
enable password 7 08331D1F074D031A39
!
aaa new-model
!
!
aaa authentication login local_auth local
aaa authentication enable default enable
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone PCTime 0 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-3955790181
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3955790181
 revocation-check none
 rsakeypair TP-self-signed-3955790181
!
crypto pki trustpoint TP-self-signed-3612796534
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3612796534
 revocation-check none
 rsakeypair TP-self-signed-3612796534
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
 subject-name e=sdmtest@sdmtest.com
 revocation-check crl
!
crypto pki trustpoint TP-self-signed-1280197465
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1280197465
 revocation-check none
 rsakeypair TP-self-signed-1280197465
!
!
crypto pki certificate chain TP-self-signed-3955790181
crypto pki certificate chain TP-self-signed-3612796534
crypto pki certificate chain test_trustpoint_config_created_for_sdm
crypto pki certificate chain TP-self-signed-1280197465
vlan ifdescr detail
no ip source-route
no ip gratuitous-arps
ip cef
!
!
!
!


!
!
!
!
no ip bootp server
ip domain name <Internal domain name>
ip name-server 8.8.8.8
ip name-server 172.24.4.13
ip name-server 172.24.16.13
ip name-server 172.24.16.15
ip inspect log drop-pkt
login block-for 5 attempts 10 within 5
no ipv6 cef
!
parameter-map type inspect global
 log dropped-packets enable
 max-incomplete low 18000
 max-incomplete high 20000
 spoofed-acker off
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
license udi pid CISCO891-K9 sn FCZ1813C2XL
!
!
username admin privilege 15 secret 4 MHpke6/RnYLNL/fAD5EKDxml.aj8Sr4IJfubMQjIoB2
!
redundancy
!
!
!
!
!
ip tcp synwait-time 10
no ip ftp passive
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
crypto logging ezvpn
!
crypto isakmp policy 20
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key ******************* address (PEER IP)
crypto isakmp keepalive 10 5
crypto isakmp aggressive-mode disable
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ADAPTVPN esp-3des esp-sha-hmac
 mode tunnel
!
crypto ipsec profile ADAPT_IPSEC_POLICY
 set transform-set ADAPTVPN
!
!
!
crypto map ADAPTVPN 200 ipsec-isakmp
 set peer <<VPN PEER IP>
 set transform-set ADAPTVPN
 match address VPNSITE
!
!
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
 description VLAN 1 Trunk port
 switchport mode trunk
 no ip address
!
interface FastEthernet1
 description VLan 1 Access port
 no ip address
!
interface FastEthernet2
 description Vlan 1 Access port
 no ip address
!
interface FastEthernet3
 description Vlan 1 Access port
 no ip address
!
interface FastEthernet4
 description Vlan 1 Access port
 no ip address
!
interface FastEthernet5
 description Vlan 1 Access port
 no ip address
!
interface FastEthernet6
 description VLAN 50 access port
 switchport access vlan 50
 no ip address
!
interface FastEthernet7
 description VLAN50 trunk port
 switchport access vlan 50
 switchport trunk native vlan 50
 switchport mode trunk
 no ip address
!
interface FastEthernet8
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0
 description WAN 1 interface for LBHETH-WAN$$ETH-WAN$
 ip address <Wan int Public IP add> 255.255.255.192
 ip access-group 130 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map ADAPTVPN
!
interface Vlan1
 description $FW_INSIDE$
 ip address 172.24.16.241 255.255.252.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Vlan50
 description $FW_INSIDE$
 ip address 172.17.116.241 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Async1
 no ip address
 encapsulation slip
 shutdown
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-top-talkers
 top 10
 sort-by bytes
 cache-timeout 10000
!
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0 overload
ip nat inside source static tcp 172.24.16.19 1433 <Wan int Public IP add> 1433 extendable
ip nat inside source static tcp 172.24.16.25 3389 <Wan int Public IP add> 3389 extendable
ip route 0.0.0.0 0.0.0.0 <Wan int Gateway>
!
ip access-list extended VPNSITE
 remark CCP_ACL Category=5
 remark access all sites
 permit ip 172.24.16.0 0.0.3.255 172.24.0.0 0.0.255.255
 remark voip
 permit ip 172.24.16.0 0.0.3.255 172.17.0.0 0.0.255.255
 remark webmail
 permit ip 172.24.16.0 0.0.3.255 192.168.102.0 0.0.0.255
 remark a cloud
 permit ip 172.24.16.0 0.0.3.255 192.168.25.0 0.0.0.255
 remark a cloud test
 permit ip 172.24.16.0 0.0.3.255 192.168.26.0 0.0.0.255
 remark a cloud public
 permit ip 172.24.16.0 0.0.3.255 192.168.27.0 0.0.0.255
 remark voip
 permit ip 172.17.116.0 0.0.0.255 172.17.0.0 0.0.255.255
 permit ip 172.17.116.0 0.0.0.255 172.24.0.0 0.0.255.255
!
ip sla auto discovery
logging trap debugging
logging facility local2
logging host 172.24.4.51
access-list 102 remark CCP_ACL Category=2
access-list 102 remark acloud public
access-list 102 deny   ip 172.24.16.0 0.0.3.255 192.168.27.0 0.0.0.255
access-list 102 remark acloud test
access-list 102 deny   ip 172.24.16.0 0.0.3.255 192.168.26.0 0.0.0.255
access-list 102 remark acloud
access-list 102 deny   ip 172.24.16.0 0.0.3.255 192.168.25.0 0.0.0.255
access-list 102 remark oa.accessnet.co.uk
access-list 102 deny   ip 172.24.16.0 0.0.3.255 192.168.102.0 0.0.0.255
access-list 102 remark voip
access-list 102 deny   ip 172.24.16.0 0.0.3.255 172.17.0.0 0.0.255.255
access-list 102 remark access all sites
access-list 102 deny   ip 172.24.16.0 0.0.3.255 172.24.0.0 0.0.255.255
access-list 102 remark voip
access-list 102 deny   ip 172.17.116.0 0.0.0.255 172.17.0.0 0.0.255.255
access-list 102 remark access all sites
access-list 102 deny   ip 172.17.116.0 0.0.0.255 172.24.0.0 0.0.255.255
access-list 102 permit ip 172.24.16.0 0.0.3.255 any
access-list 102 permit ip 172.17.116.0 0.0.0.255 any
access-list 130 remark EXT_ACL
access-list 130 permit ip 172.24.0.0 0.0.255.255 172.17.116.0 0.0.0.255
access-list 130 remark voip
access-list 130 permit ip 172.17.0.0 0.0.255.255 172.17.116.0 0.0.0.255
access-list 130 remark acloud public
access-list 130 permit ip 192.168.27.0 0.0.0.255 172.24.16.0 0.0.3.255
access-list 130 remark acloud test
access-list 130 permit ip 192.168.26.0 0.0.0.255 172.24.16.0 0.0.3.255
access-list 130 remark acloud
access-list 130 permit ip 192.168.25.0 0.0.0.255 172.24.16.0 0.0.3.255
access-list 130 remark oa.accessnet.co.uk
access-list 130 permit ip 192.168.102.0 0.0.0.255 172.24.16.0 0.0.3.255
access-list 130 remark voip
access-list 130 permit ip 172.17.0.0 0.0.255.255 172.24.16.0 0.0.3.255
access-list 130 remark access all sites
access-list 130 permit ip 172.24.0.0 0.0.255.255 172.24.16.0 0.0.3.255
access-list 130 permit udp host <VPN PEER IP> host <Wan int Public IP add> eq non500-isakmp
access-list 130 permit udp host <VPN PEER IP> host <Wan int Public IP add> eq isakmp
access-list 130 permit esp host <VPN PEER IP> host <Wan int Public IP add>
access-list 130 permit ahp host <VPN PEER IP> host <Wan int Public IP add>
access-list 130 permit tcp host <a webserver> host <Wan int Public IP add> eq 1433 log
access-list 130 permit tcp any host <Wan int Public IP add> eq 3389 log
access-list 130 permit ip host <a Public Ip I need> host <Wan int Public IP add>
access-list 130 permit tcp any host <Wan int Public IP add> eq www
access-list 130 permit tcp any host <Wan int Public IP add> eq 443
access-list 130 permit tcp any host <Wan int Public IP add> eq domain
access-list 130 deny   tcp any host <Wan int Public IP add> eq 1433
access-list 130 permit icmp any host <Wan int Public IP add>
access-list 130 permit ip any any
no cdp run
!
route-map SDM_RMAP_1 permit 1
 match ip address 102
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
 login authentication local_auth
 transport output telnet
line 1
 modem InOut
 speed 115200
 flowcontrol hardware
line aux 0
 login authentication local_auth
 transport output telnet
line vty 0 4
 exec-timeout 30 0
 privilege level 15
 password 7 09554B1A
 transport preferred ssh
 transport input ssh
 transport output ssh
!
scheduler interval 500
ntp update-calendar
ntp server 0.uk.pool.ntp.org
!
end

1 REPLY
VIP Purple

You need a firewall-config

You need a firewall-config that allows the return-traffic:

 

ip inspect name FW tcp router-traffic
ip inspect name FW udp router-traffic
ip inspect name FW icmp router-traffic
ip inspect name FW ftp
int gig0
  ip inspect FW out


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
76
Views
0
Helpful
1
Replies