Firewall trouble

Discussion in 'Cisco' started by robertm@performancematerials.com, Aug 30, 2006.

  1. Guest

    Here is my Situation.

    I followed the Cisco Docs about creating a firewall. I got the inspect
    rules in place and working but the access list is giving me a problem.

    When there is no access list applied to my outside WAN interface, I can

    view web sites. When I apply this access-list I can not.


    Here is the access list:


    10 permit tcp any host xxx.xxx.xxx.89 eq ftp
    20 permit tcp any host xxx.xxx.xxx.89 eq ftp-data
    30 permit tcp any host xxx.xxx.xxx.89 eq smtp
    40 permit tcp any host xxx.xxx.xxx.89 eq www
    50 permit tcp any host xxx.xxx.xxx.89 eq 3389
    60 permit tcp any host xxx.xxx.xxx.89 eq pop3
    70 permit tcp any host xxx.xxx.xxx.89 eq 1723
    80 permit icmp any host xxx.xxx.xxx.89 echo
    90 permit icmp any host xxx.xxx.xxx.89 echo-reply
    100 deny ip any any
    110 permit udp any host 207.178.224.89 eq domain


    Here is the inspect rules:


    ip inspect name firewall tcp
    ip inspect name firewall ftp
    ip inspect name firewall smtp
    ip inspect name firewall echo
    ip inspect name firewall icmp
    ip inspect name firewall pop3


    I do not have a firewall monitoring the inside interface


    any help would be appreciated


    Reply ยป
    , Aug 30, 2006
    #1
    1. Advertising

  2. In article <>,
    <> wrote:

    >I followed the Cisco Docs about creating a firewall. I got the inspect
    >rules in place and working but the access list is giving me a problem.


    >When there is no access list applied to my outside WAN interface, I can
    >view web sites. When I apply this access-list I can not.


    My answer here is the same as the one I gave in comp.security.firewalls .
    I know you must have read it, because it's the same message
    that suggested comp.dcom.sys.cisco to you.

    To summarize: delete line 100 of your access list.
    Walter Roberson, Aug 30, 2006
    #2
    1. Advertising

  3. Guest

    I did not look at your first post closely enough, Thank you for your
    response though, it gives me a much better understanding, I will try
    this fix as soon as I get to the office. Thanks again!


    Walter Roberson wrote:
    > In article <>,
    > <> wrote:
    >
    > >I followed the Cisco Docs about creating a firewall. I got the inspect
    > >rules in place and working but the access list is giving me a problem.

    >
    > >When there is no access list applied to my outside WAN interface, I can
    > >view web sites. When I apply this access-list I can not.

    >
    > My answer here is the same as the one I gave in comp.security.firewalls .
    > I know you must have read it, because it's the same message
    > that suggested comp.dcom.sys.cisco to you.
    >
    > To summarize: delete line 100 of your access list.
    , Aug 30, 2006
    #3
  4. Guest

    wrote:
    > I did not look at your first post closely enough, Thank you for your
    > response though, it gives me a much better understanding, I will try
    > this fix as soon as I get to the office. Thanks again!
    >
    >
    > Walter Roberson wrote:
    > > In article <>,
    > > <> wrote:
    > >
    > > >I followed the Cisco Docs about creating a firewall. I got the inspect
    > > >rules in place and working but the access list is giving me a problem.

    > >
    > > >When there is no access list applied to my outside WAN interface, I can
    > > >view web sites. When I apply this access-list I can not.

    > > To summarize: delete line 100 of your access list.


    Hmmm.
    Here are the inspect/ACL again

    ####### Begin quote
    When there is no access list applied to my outside WAN interface, I can

    view web sites. When I apply this access-list I can not.

    10 permit tcp any host xxx.xxx.xxx.89 eq ftp
    <snipped..>
    90 permit icmp any host xxx.xxx.xxx.89 echo-reply
    100 deny ip any any
    110 permit udp any host 207.178.224.89 eq domain

    ip inspect name firewall tcp
    <snipped..>
    ip inspect name firewall pop3
    ####End quote

    You haven't said whether this is applied inbound or outbound.
    >From the look of it you would apply it outbound which is

    not going to give you much of a firewall.

    For Inspect to protect you from external traffic heading inbound
    you need.

    ip inspect name firewall udp ! added?
    ip inspect name firewall tcp
    <snipped..>
    ip inspect name firewall pop3

    int external
    ip access-group ACL.deny.all in
    ip inspect firewall out

    ip access-list extended ACL.deny.all
    deny ip any any
    ! Yes that is OK deny any any is all I mean to put.

    The above will not allow any traffic in EXCEPT
    responses to outbound traffic. This is what is
    usually wanted and is what the inspect does.

    You then add the following to control
    outbound sessions.

    int external
    ip access-group ACL.permit.outbound

    ip access-list extended ACL.permit.outbound
    10 permit tcp any host xxx.xxx.xxx.89 eq ftp
    <snipped..>
    80 permit icmp any host xxx.xxx.xxx.89 echo
    90 permit icmp any host xxx.xxx.xxx.89 echo-reply
    110 permit udp any host 207.178.224.89 eq domain

    In fact I think that it is best to control the outbound traffic
    on the inside interface since it seems most sensible
    to block it as soon as possible and not wast
    system resources routing first and then blocking it.

    You are still left with a few possible issues, for example
    the firewall cannot be managed from outside,
    the firewall cannot do its own dns to outside
    the firewall cannot do its own ntp, logging
    whatever to outside.

    Good luck.
    , Aug 30, 2006
    #4
  5. Igor Mamuzic Guest

    Yeah, I saw such problems with rising max-incomplete values from defaults
    to:
    one-minute (sampling period) thresholds are [10000:27000] connections
    max-incomplete sessions thresholds are [10000:27000]

    But before this you should check how many active NAT translations you have
    while experiencing problems with web sites? I had a lot of active
    translations (about 3000), because I don't have pretty much outbound things
    (p2p, etc.) banned and maybe some worms are operating in the network and
    trying to access the Net which rises the number of active NAT translations.

    Try the following config and let me know if it helps:
    ip inspect max-incomplete high 27000
    ip inspect max-incomplete low 10000
    ip inspect one-minute high 27000
    ip inspect one-minute low 10000


    B.R.
    Igor

    <> wrote in message
    news:...
    >
    > wrote:
    >> I did not look at your first post closely enough, Thank you for your
    >> response though, it gives me a much better understanding, I will try
    >> this fix as soon as I get to the office. Thanks again!
    >>
    >>
    >> Walter Roberson wrote:
    >> > In article <>,
    >> > <> wrote:
    >> >
    >> > >I followed the Cisco Docs about creating a firewall. I got the inspect
    >> > >rules in place and working but the access list is giving me a
    >> > >problem.
    >> >
    >> > >When there is no access list applied to my outside WAN interface, I
    >> > >can
    >> > >view web sites. When I apply this access-list I can not.
    >> > To summarize: delete line 100 of your access list.

    >
    > Hmmm.
    > Here are the inspect/ACL again
    >
    > ####### Begin quote
    > When there is no access list applied to my outside WAN interface, I can
    >
    > view web sites. When I apply this access-list I can not.
    >
    > 10 permit tcp any host xxx.xxx.xxx.89 eq ftp
    > <snipped..>
    > 90 permit icmp any host xxx.xxx.xxx.89 echo-reply
    > 100 deny ip any any
    > 110 permit udp any host 207.178.224.89 eq domain
    >
    > ip inspect name firewall tcp
    > <snipped..>
    > ip inspect name firewall pop3
    > ####End quote
    >
    > You haven't said whether this is applied inbound or outbound.
    >>From the look of it you would apply it outbound which is

    > not going to give you much of a firewall.
    >
    > For Inspect to protect you from external traffic heading inbound
    > you need.
    >
    > ip inspect name firewall udp ! added?
    > ip inspect name firewall tcp
    > <snipped..>
    > ip inspect name firewall pop3
    >
    > int external
    > ip access-group ACL.deny.all in
    > ip inspect firewall out
    >
    > ip access-list extended ACL.deny.all
    > deny ip any any
    > ! Yes that is OK deny any any is all I mean to put.
    >
    > The above will not allow any traffic in EXCEPT
    > responses to outbound traffic. This is what is
    > usually wanted and is what the inspect does.
    >
    > You then add the following to control
    > outbound sessions.
    >
    > int external
    > ip access-group ACL.permit.outbound
    >
    > ip access-list extended ACL.permit.outbound
    > 10 permit tcp any host xxx.xxx.xxx.89 eq ftp
    > <snipped..>
    > 80 permit icmp any host xxx.xxx.xxx.89 echo
    > 90 permit icmp any host xxx.xxx.xxx.89 echo-reply
    > 110 permit udp any host 207.178.224.89 eq domain
    >
    > In fact I think that it is best to control the outbound traffic
    > on the inside interface since it seems most sensible
    > to block it as soon as possible and not wast
    > system resources routing first and then blocking it.
    >
    > You are still left with a few possible issues, for example
    > the firewall cannot be managed from outside,
    > the firewall cannot do its own dns to outside
    > the firewall cannot do its own ntp, logging
    > whatever to outside.
    >
    > Good luck.
    >
    Igor Mamuzic, Aug 30, 2006
    #5
  6. James Guest

    Is xxx.xxx.xxx.89 a server that you wish to give external users access
    to?

    If so, then I find that it is better to inspect the traffic as it
    enters the Interface. Remove any "ip inspect firewall out" commands
    from your interfaces and then change them to "ip inspect firewall in"
    commands e.g:-

    interface fastethernet 0/0
    ip inspect firewall in
    access-list internal in

    interface serial 0/0
    ip inspect firewall in
    access-list external in

    Now the router will dynamically open ports in the access-list attached
    to the oposite interface.

    You don't have to have an access-list on the Internal Interface and you
    can create seperate ip inspect lists for the two Interfaces if you
    wish.

    It is perfectly ok to have the deny any any rule in the access-list, in
    fact I normally add this at the end and use the log keyword. However
    in your list the deny statement is before line 110 so you should make
    sure it is the last line in the access-list.


    > > You are still left with a few possible issues, for example
    > > the firewall cannot be managed from outside,
    > > the firewall cannot do its own dns to outside
    > > the firewall cannot do its own ntp, logging
    > > whatever to outside.
    > >
    > > Good luck.
    > >


    There is now the router-traffic keyword which enables the Inspection of
    traffic generated by or bound for the router itself:-

    ip inspect name DEFAULT100 tcp
    ip inspect name DEFAULT100 udp
    ip inspect name Router tcp router-traffic
    ip inspect name Router icmp router-traffic

    You can then bind both rules to your Outside Interface:-

    ip inspect DEFAULT100 in
    ip inspect Router out

    Hope this helps.

    James
    James, Aug 30, 2006
    #6
  7. Guest

    James wrote:

    > There is now the router-traffic keyword which enables the Inspection of
    > traffic generated by or bound for the router itself:-
    >
    > ip inspect name DEFAULT100 tcp
    > ip inspect name DEFAULT100 udp
    > ip inspect name Router tcp router-traffic
    > ip inspect name Router icmp router-traffic
    >
    > You can then bind both rules to your Outside Interface:-


    inspect router-traffic
    12.3(14)T This feature was introduced.


    Thanks for that - very handy.
    Must try to keep up!
    , Aug 30, 2006
    #7
  8. Guest

    wrote:
    > James wrote:
    >
    > > There is now the router-traffic keyword which enables the Inspection of
    > > traffic generated by or bound for the router itself:-
    > >
    > > ip inspect name DEFAULT100 tcp
    > > ip inspect name DEFAULT100 udp
    > > ip inspect name Router tcp router-traffic
    > > ip inspect name Router icmp router-traffic
    > >
    > > You can then bind both rules to your Outside Interface:-

    >
    > inspect router-traffic
    > 12.3(14)T This feature was introduced.
    >
    >
    > Thanks for that - very handy.
    > Must try to keep up!


    Huh! Not on 837 yet. First thing I thought to play with.

    Following acording to www.cisco.com/go/fn

    Nor 0n 2800, 3800.

    Is on 836, 831, 851, 857, 877

    It is in 12.4(3f) for 7200 but not in 12.4(10) for 2800?

    Is it me or are Cisco straying from the plot?

    Of course maybe fn is just broken again?
    , Aug 30, 2006
    #8
  9. Guest

    wrote:
    > James wrote:
    >
    > > There is now the router-traffic keyword which enables the Inspection of
    > > traffic generated by or bound for the router itself:-
    > >
    > > ip inspect name DEFAULT100 tcp
    > > ip inspect name DEFAULT100 udp
    > > ip inspect name Router tcp router-traffic
    > > ip inspect name Router icmp router-traffic
    > >
    > > You can then bind both rules to your Outside Interface:-

    >
    > inspect router-traffic
    > 12.3(14)T This feature was introduced.
    >
    >
    > Thanks for that - very handy.
    > Must try to keep up!


    Huh! Not on 837 yet. First thing I thought to play with.

    Following acording to www.cisco.com/go/fn

    Nor 0n 2800, 3800.

    Is on 836, 831, 851, 857, 877

    It is in 12.4(3f) for 7200 but not in 12.4(10) for 2800?

    Is it me or are Cisco straying from the plot?

    Of course maybe fn is just broken again?
    , Aug 30, 2006
    #9
  10. James Guest

    I am using it on 1760's and 2621's. Strange that it's not on the other
    platforms?

    James



    wrote:
    > wrote:
    > > James wrote:
    > >
    > > > There is now the router-traffic keyword which enables the Inspection of
    > > > traffic generated by or bound for the router itself:-
    > > >
    > > > ip inspect name DEFAULT100 tcp
    > > > ip inspect name DEFAULT100 udp
    > > > ip inspect name Router tcp router-traffic
    > > > ip inspect name Router icmp router-traffic
    > > >
    > > > You can then bind both rules to your Outside Interface:-

    > >
    > > inspect router-traffic
    > > 12.3(14)T This feature was introduced.
    > >
    > >
    > > Thanks for that - very handy.
    > > Must try to keep up!

    >
    > Huh! Not on 837 yet. First thing I thought to play with.
    >
    > Following acording to www.cisco.com/go/fn
    >
    > Nor 0n 2800, 3800.
    >
    > Is on 836, 831, 851, 857, 877
    >
    > It is in 12.4(3f) for 7200 but not in 12.4(10) for 2800?
    >
    > Is it me or are Cisco straying from the plot?
    >
    > Of course maybe fn is just broken again?
    James, Aug 31, 2006
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Phil
    Replies:
    1
    Views:
    2,075
    Walter Roberson
    Dec 11, 2004
  2. Replies:
    1
    Views:
    530
    Walter Roberson
    Jun 14, 2005
  3. Whodat

    Home wireless network woes: Firewall trouble

    Whodat, Jun 4, 2005, in forum: Computer Information
    Replies:
    1
    Views:
    339
    Whodat
    Jun 5, 2005
  4. John Penney
    Replies:
    4
    Views:
    862
    Rick Merrill
    Aug 29, 2006
  5. T.N.O

    firewall trouble - Semi-rant

    T.N.O, Aug 26, 2003, in forum: NZ Computing
    Replies:
    11
    Views:
    514
    colinco
    Aug 28, 2003
Loading...

Share This Page