05-02-2014 12:05 PM
Hi, I know this question is probably very common but I am still having issues with understanding ACL's
I've read so much documentation but its not helping me understand or apply the knowledge to my situation.
basically I have configured a new CISCO 891 router with a number of VPN's connected and a couple of inbound rules to allow rdp and sql traffic to 2 servers on my LAN. to do this I have created ACL 130 and matched it to the inbound direction of the WAN interface. the confusion is that I would really like the last default rule to be a "deny any any" rule for security. but no matter what I do, even if I create a specific permit rule for web traffic and DNS if I change the last rule to "deny any to any" all my internet connectivity stops working apart from my traffic over the VPN I cannot browse or resolve or ping anything on the internet.
here is my config if anyone can advise me how to ensure my Cisco891 firewall is secure I would be grateful. (PS I've given up trying to use the ZBF as this created even more issues and now only using CLI)
Building configuration...
Current configuration : 9409 bytes
!
! Last configuration change at 20:53:43 PCTime Mon Apr 28 2014 by admin
version 15.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname LBHCIS891DATA1
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 51200 errors
logging console critical
enable secret 4 MHpke6/RnYLNL/fAD5EKDxml.aj8Sr4IJfubMQjIoB2
enable password 7 08331D1F074D031A39
!
aaa new-model
!
!
aaa authentication login local_auth local
aaa authentication enable default enable
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone PCTime 0 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-3955790181
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3955790181
revocation-check none
rsakeypair TP-self-signed-3955790181
!
crypto pki trustpoint TP-self-signed-3612796534
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3612796534
revocation-check none
rsakeypair TP-self-signed-3612796534
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
crypto pki trustpoint TP-self-signed-1280197465
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1280197465
revocation-check none
rsakeypair TP-self-signed-1280197465
!
!
crypto pki certificate chain TP-self-signed-3955790181
crypto pki certificate chain TP-self-signed-3612796534
crypto pki certificate chain test_trustpoint_config_created_for_sdm
crypto pki certificate chain TP-self-signed-1280197465
vlan ifdescr detail
no ip source-route
no ip gratuitous-arps
ip cef
!
!
!
!
!
!
!
!
no ip bootp server
ip domain name <Internal domain name>
ip name-server 8.8.8.8
ip name-server 172.24.4.13
ip name-server 172.24.16.13
ip name-server 172.24.16.15
ip inspect log drop-pkt
login block-for 5 attempts 10 within 5
no ipv6 cef
!
parameter-map type inspect global
log dropped-packets enable
max-incomplete low 18000
max-incomplete high 20000
spoofed-acker off
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
license udi pid CISCO891-K9 sn FCZ1813C2XL
!
!
username admin privilege 15 secret 4 MHpke6/RnYLNL/fAD5EKDxml.aj8Sr4IJfubMQjIoB2
!
redundancy
!
!
!
!
!
ip tcp synwait-time 10
no ip ftp passive
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
crypto logging ezvpn
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp key ******************* address (PEER IP)
crypto isakmp keepalive 10 5
crypto isakmp aggressive-mode disable
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ADAPTVPN esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile ADAPT_IPSEC_POLICY
set transform-set ADAPTVPN
!
!
!
crypto map ADAPTVPN 200 ipsec-isakmp
set peer <<VPN PEER IP>
set transform-set ADAPTVPN
match address VPNSITE
!
!
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
description VLAN 1 Trunk port
switchport mode trunk
no ip address
!
interface FastEthernet1
description VLan 1 Access port
no ip address
!
interface FastEthernet2
description Vlan 1 Access port
no ip address
!
interface FastEthernet3
description Vlan 1 Access port
no ip address
!
interface FastEthernet4
description Vlan 1 Access port
no ip address
!
interface FastEthernet5
description Vlan 1 Access port
no ip address
!
interface FastEthernet6
description VLAN 50 access port
switchport access vlan 50
no ip address
!
interface FastEthernet7
description VLAN50 trunk port
switchport access vlan 50
switchport trunk native vlan 50
switchport mode trunk
no ip address
!
interface FastEthernet8
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
description WAN 1 interface for LBHETH-WAN$$ETH-WAN$
ip address <Wan int Public IP add> 255.255.255.192
ip access-group 130 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map ADAPTVPN
!
interface Vlan1
description $FW_INSIDE$
ip address 172.24.16.241 255.255.252.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan50
description $FW_INSIDE$
ip address 172.17.116.241 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Async1
no ip address
encapsulation slip
shutdown
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-top-talkers
top 10
sort-by bytes
cache-timeout 10000
!
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0 overload
ip nat inside source static tcp 172.24.16.19 1433 <Wan int Public IP add> 1433 extendable
ip nat inside source static tcp 172.24.16.25 3389 <Wan int Public IP add> 3389 extendable
ip route 0.0.0.0 0.0.0.0 <Wan int Gateway>
!
ip access-list extended VPNSITE
remark CCP_ACL Category=5
remark access all sites
permit ip 172.24.16.0 0.0.3.255 172.24.0.0 0.0.255.255
remark voip
permit ip 172.24.16.0 0.0.3.255 172.17.0.0 0.0.255.255
remark webmail
permit ip 172.24.16.0 0.0.3.255 192.168.102.0 0.0.0.255
remark a cloud
permit ip 172.24.16.0 0.0.3.255 192.168.25.0 0.0.0.255
remark a cloud test
permit ip 172.24.16.0 0.0.3.255 192.168.26.0 0.0.0.255
remark a cloud public
permit ip 172.24.16.0 0.0.3.255 192.168.27.0 0.0.0.255
remark voip
permit ip 172.17.116.0 0.0.0.255 172.17.0.0 0.0.255.255
permit ip 172.17.116.0 0.0.0.255 172.24.0.0 0.0.255.255
!
ip sla auto discovery
logging trap debugging
logging facility local2
logging host 172.24.4.51
access-list 102 remark CCP_ACL Category=2
access-list 102 remark acloud public
access-list 102 deny ip 172.24.16.0 0.0.3.255 192.168.27.0 0.0.0.255
access-list 102 remark acloud test
access-list 102 deny ip 172.24.16.0 0.0.3.255 192.168.26.0 0.0.0.255
access-list 102 remark acloud
access-list 102 deny ip 172.24.16.0 0.0.3.255 192.168.25.0 0.0.0.255
access-list 102 remark oa.accessnet.co.uk
access-list 102 deny ip 172.24.16.0 0.0.3.255 192.168.102.0 0.0.0.255
access-list 102 remark voip
access-list 102 deny ip 172.24.16.0 0.0.3.255 172.17.0.0 0.0.255.255
access-list 102 remark access all sites
access-list 102 deny ip 172.24.16.0 0.0.3.255 172.24.0.0 0.0.255.255
access-list 102 remark voip
access-list 102 deny ip 172.17.116.0 0.0.0.255 172.17.0.0 0.0.255.255
access-list 102 remark access all sites
access-list 102 deny ip 172.17.116.0 0.0.0.255 172.24.0.0 0.0.255.255
access-list 102 permit ip 172.24.16.0 0.0.3.255 any
access-list 102 permit ip 172.17.116.0 0.0.0.255 any
access-list 130 remark EXT_ACL
access-list 130 permit ip 172.24.0.0 0.0.255.255 172.17.116.0 0.0.0.255
access-list 130 remark voip
access-list 130 permit ip 172.17.0.0 0.0.255.255 172.17.116.0 0.0.0.255
access-list 130 remark acloud public
access-list 130 permit ip 192.168.27.0 0.0.0.255 172.24.16.0 0.0.3.255
access-list 130 remark acloud test
access-list 130 permit ip 192.168.26.0 0.0.0.255 172.24.16.0 0.0.3.255
access-list 130 remark acloud
access-list 130 permit ip 192.168.25.0 0.0.0.255 172.24.16.0 0.0.3.255
access-list 130 remark oa.accessnet.co.uk
access-list 130 permit ip 192.168.102.0 0.0.0.255 172.24.16.0 0.0.3.255
access-list 130 remark voip
access-list 130 permit ip 172.17.0.0 0.0.255.255 172.24.16.0 0.0.3.255
access-list 130 remark access all sites
access-list 130 permit ip 172.24.0.0 0.0.255.255 172.24.16.0 0.0.3.255
access-list 130 permit udp host <VPN PEER IP> host <Wan int Public IP add> eq non500-isakmp
access-list 130 permit udp host <VPN PEER IP> host <Wan int Public IP add> eq isakmp
access-list 130 permit esp host <VPN PEER IP> host <Wan int Public IP add>
access-list 130 permit ahp host <VPN PEER IP> host <Wan int Public IP add>
access-list 130 permit tcp host <a webserver> host <Wan int Public IP add> eq 1433 log
access-list 130 permit tcp any host <Wan int Public IP add> eq 3389 log
access-list 130 permit ip host <a Public Ip I need> host <Wan int Public IP add>
access-list 130 permit tcp any host <Wan int Public IP add> eq www
access-list 130 permit tcp any host <Wan int Public IP add> eq 443
access-list 130 permit tcp any host <Wan int Public IP add> eq domain
access-list 130 deny tcp any host <Wan int Public IP add> eq 1433
access-list 130 permit icmp any host <Wan int Public IP add>
access-list 130 permit ip any any
no cdp run
!
route-map SDM_RMAP_1 permit 1
match ip address 102
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
login authentication local_auth
transport output telnet
line 1
modem InOut
speed 115200
flowcontrol hardware
line aux 0
login authentication local_auth
transport output telnet
line vty 0 4
exec-timeout 30 0
privilege level 15
password 7 09554B1A
transport preferred ssh
transport input ssh
transport output ssh
!
scheduler interval 500
ntp update-calendar
ntp server 0.uk.pool.ntp.org
!
end
05-03-2014 01:38 AM
You need a firewall-config that allows the return-traffic:
ip inspect name FW tcp router-traffic
ip inspect name FW udp router-traffic
ip inspect name FW icmp router-traffic
ip inspect name FW ftp
int gig0
ip inspect FW out
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide