Proxy and CBAC.

Discussion in 'Cisco' started by AM, Aug 28, 2006.

  1. AM

    AM Guest

    Hi guys,

    CBAC needs that all connections are denied in order for it to manage who passes and who doesn't. But having a proxy, and
    therefore the need to stop all the PCs but the proxy, will allow anyway the PCs to go to the Internet.
    So, how to solve the problem? I thought about the route-map with the unwished traffic forward to NULL.
    Has anybody tried this solution?
    Which is the order between route-maps and ACL applied on a interface?

    TIA

    Alex.
     
    AM, Aug 28, 2006
    #1
    1. Advertising

  2. AM

    BernieM Guest

    "AM" <> wrote in message
    news:KbzIg.85217$...
    > Hi guys,
    >
    > CBAC needs that all connections are denied in order for it to manage who
    > passes and who doesn't. But having a proxy, and therefore the need to stop
    > all the PCs but the proxy, will allow anyway the PCs to go to the
    > Internet.
    > So, how to solve the problem? I thought about the route-map with the
    > unwished traffic forward to NULL.
    > Has anybody tried this solution?
    > Which is the order between route-maps and ACL applied on a interface?
    >
    > TIA
    >
    > Alex.


    Trying to understand what you're trying to do Alex. Are you unsure how to
    configure CBAC to allow only the web proxy?

    BernieM
     
    BernieM, Aug 28, 2006
    #2
    1. Advertising

  3. AM

    Guest

    BernieM wrote:
    > "AM" <> wrote in message
    > news:KbzIg.85217$...
    > > Hi guys,
    > >
    > > CBAC needs that all connections are denied in order for it to manage who
    > > passes and who doesn't. But having a proxy, and therefore the need to stop
    > > all the PCs but the proxy, will allow anyway the PCs to go to the
    > > Internet.
    > > So, how to solve the problem? I thought about the route-map with the
    > > unwished traffic forward to NULL.
    > > Has anybody tried this solution?
    > > Which is the order between route-maps and ACL applied on a interface?
    > >
    > > TIA
    > >
    > > Alex.

    >
    > Trying to understand what you're trying to do Alex. Are you unsure how to
    > configure CBAC to allow only the web proxy?


    HI,

    My understanding is that you use an inbound
    access list on the inside interface to control
    what sites/protocols you want to go out.

    interface e 0
    desc inside
    access-group ACL.internet.outbound in


    ip access-list

    ip access-list extended ACL.internet.outbound
    ! allow the proxy to access any http sites
    permit ip host address-of-proxy any eq 80
    ! https too
    permit ip host address-of-proxy any eq 443
    ! you will need other things here such as management access
    ! ICMP
    ! you may want to block broadcasts

    Your proposed scheme would be OK but I think that
    this will be more efficient.
    The benifit of puting it on the inside interface
    seems to me to be that the router discards
    the traffic at the earliest opportunity.

    Here is an ACL that I used a while back
    that is pretty over the top but might give you some ideas.
    This one was also desiged to protect
    the router from unnecessary traffic
    e.g. Windows broadcasts,
    since it was not really up top the job
    it was being asked to do.

    ip access-list extended E0-in
    remark ### NEW YORK NETWORKS ####
    permit ip 192.168.166.0 0.0.0.255 192.168.58.0 0.0.0.255
    remark ### CISCO831 ACCESS ####
    permit tcp 192.168.166.0 0.0.0.255 host 192.168.166.253 eq telnet
    permit tcp 192.168.166.0 0.0.0.255 host 192.168.166.253 eq 22
    permit tcp 192.168.166.0 0.0.0.255 host 192.168.166.253 eq www
    permit tcp 192.168.166.0 0.0.0.255 host 192.168.166.253 eq 443
    permit tcp 192.168.166.0 0.0.0.255 host 192.168.166.253 eq cmd
    permit tcp 192.168.166.0 0.0.0.255 host 192.168.166.253 eq 161
    permit icmp 192.168.166.0 0.0.0.255 any
    remark ### BLOCK RUBBISH ####
    deny ip any host 192.168.166.255
    deny ip any host 255.255.255.255
    remark ### remote management ####
    permit ip 192.168.166.0 0.0.0.255 host x.x.x.x
    remark ### ALLOW INTERNAL & POOLS & VPN ####
    permit ip any 192.168.166.0 0.0.0.255
    permit ip any 10.1.166.0 0.0.0.255
    permit ip 10.1.166.0 0.0.0.255 any
    permit udp any host y.y.y.y 500
    permit esp any host y.y.y.y
    remark ### BLOCK RUBBISH ####
    deny ip any 10.0.0.0 0.255.255.255 log
    deny ip any 127.0.0.0 0.255.255.255 log
    deny ip any 172.16.0.0 0.15.255.255 log
    deny ip any 224.0.0.0 31.255.255.255 log
    deny ip any 192.168.0.0 0.0.255.255 log
    deny ip any 192.0.2.0 0.0.0.255 log
    deny ip any 169.254.0.0 0.0.255.255 log
    deny ip any host 192.168.166.253 log
    deny ip any host z.z.z.z log
    remark ### Internet ####
    permit udp 192.168.166.0 0.0.0.255 gt 1023 any eq domain
    permit tcp 192.168.166.0 0.0.0.255 gt 1023 any eq 123
    permit udp 192.168.166.0 0.0.0.255 gt 1023 any eq ntp
    permit tcp 192.168.166.0 0.0.0.255 gt 1023 any eq 264
    permit tcp 192.168.166.0 0.0.0.255 any eq 500
    permit udp 192.168.166.0 0.0.0.255 gt 1023 any eq 554
    permit tcp 192.168.166.0 0.0.0.255 gt 1023 any eq 5800
    permit tcp 192.168.166.0 0.0.0.255 gt 1023 any eq 5900
    permit udp 192.168.166.0 0.0.0.255 gt 1023 any eq 7070
    permit tcp 192.168.166.0 0.0.0.255 gt 1023 any eq smtp
    permit tcp 192.168.166.0 0.0.0.255 gt 1023 any eq pop3
    permit tcp 192.168.166.0 0.0.0.255 gt 1023 any eq ftp
    remark ### Bloomberg ####
    permit tcp 192.168.166.0 0.0.0.255 160.43.250.0 0.0.0.255 range 8194
    8294
    permit tcp 192.168.166.0 0.0.0.255 206.156.53.0 0.0.0.255 range 8194
    8294
    permit tcp 192.168.166.0 0.0.0.255 208.22.57.0 0.0.0.255 range 8194
    8294
    permit udp 192.168.166.0 0.0.0.255 160.43.250.0 0.0.0.255 range 48129
    48192
    permit udp 192.168.166.0 0.0.0.255 206.156.53.0 0.0.0.255 range 48129
    48192
    permit udp 192.168.166.0 0.0.0.255 205.216.112.0 0.0.0.255 range 48129
    48192
    permit udp 192.168.166.0 0.0.0.255 208.22.56.0 0.0.0.255 range 48129
    48192
    permit udp 192.168.166.0 0.0.0.255 208.22.57.0 0.0.0.255 range 48129
    48192
    deny tcp any any range 0 65535 log
    deny udp any any range 0 65535 log
    deny ip any any log
     
    , Aug 28, 2006
    #3
  4. AM

    AM Guest

    wrote:
    >
    > HI,
    >
    > My understanding is that you use an inbound
    > access list on the inside interface to control
    > what sites/protocols you want to go out.
    >
    > interface e 0
    > desc inside
    > access-group ACL.internet.outbound in
    >
    >
    > ip access-list
    >
    > ip access-list extended ACL.internet.outbound
    > ! allow the proxy to access any http sites
    > permit ip host address-of-proxy any eq 80
    > ! https too
    > permit ip host address-of-proxy any eq 443
    > ! you will need other things here such as management access
    > ! ICMP
    > ! you may want to block broadcasts


    As far as I have understood CBAC mechanism you need to block everything you want for CBAC to process it.
    In some way I want to put the proxy traffic under the CBAC control.
    Your ACL excludes the HTTP,HTTPS proxy traffic from being analyzed and ironically allows all other machines on the LAN
    to pass through the interface because the way CBAC works is to make holes in the wall when needed.
    So, for the CBAC to work you need to deny what it will process.
    Blocking traffic coming from all the LAN but the proxy is not a solution. Unless you apply the CBAC on the WAN interface
    in the outgoing direction. So the ethernet ACL filters who can pass through it and the CBAC analyzes just that traffic.
    But my tears are to apply a too much restrictive ACL on WAN interface because I'm afraid to cut my management
    connections off.
    For that reason I wish to solve the problem on the inside interface.

    Thanks,
    Alex.
     
    AM, Aug 28, 2006
    #4
  5. AM

    BernieM Guest

    "AM" <> wrote in message
    news:fhCIg.85509$...
    > wrote:
    >>
    >> HI,
    >>
    >> My understanding is that you use an inbound
    >> access list on the inside interface to control
    >> what sites/protocols you want to go out.
    >>
    >> interface e 0
    >> desc inside
    >> access-group ACL.internet.outbound in
    >>
    >>
    >> ip access-list
    >>
    >> ip access-list extended ACL.internet.outbound
    >> ! allow the proxy to access any http sites
    >> permit ip host address-of-proxy any eq 80
    >> ! https too
    >> permit ip host address-of-proxy any eq 443
    >> ! you will need other things here such as management access
    >> ! ICMP
    >> ! you may want to block broadcasts

    >
    > As far as I have understood CBAC mechanism you need to block everything
    > you want for CBAC to process it.
    > In some way I want to put the proxy traffic under the CBAC control.
    > Your ACL excludes the HTTP,HTTPS proxy traffic from being analyzed and
    > ironically allows all other machines on the LAN to pass through the
    > interface because the way CBAC works is to make holes in the wall when
    > needed.
    > So, for the CBAC to work you need to deny what it will process.
    > Blocking traffic coming from all the LAN but the proxy is not a solution.
    > Unless you apply the CBAC on the WAN interface in the outgoing direction.
    > So the ethernet ACL filters who can pass through it and the CBAC analyzes
    > just that traffic.
    > But my tears are to apply a too much restrictive ACL on WAN interface
    > because I'm afraid to cut my management connections off.
    > For that reason I wish to solve the problem on the inside interface.
    >
    > Thanks,
    > Alex.


    You don't block what you want CBAC to process. It needs to pass through the
    incoming ACL for CBAC to see it..

    Allow proxy traffic in at the inside interface and CBAC will 'inspect' it
    and see which interface it's going out and if you have an ACL there CBAC
    will dynamically create 'permit' entries for return traffic.

    Same applies for incoming traffic being initiated from the Internet ie.
    public hosts accessing your web site. Allow that in at the WAN's external
    ACL and CBAC will dynamically create ACL entries on the inside interface for
    return traffic.

    eg.

    inside interface
    ip access-group inside-filter in
    ip inspect <name> in

    wan interface
    ip access-group outside-filter in
    ip inspect <name> in


    ip access-list extended inside-filter
    permit proxy traffic eq http and https
    allow your management traffic eq telnet or ssh and whatever else you use
    (snmp etc.)
    deny all

    ip access-group outside-filter
    permit public hosts to your web site eq http and https
    deny all and log

    BernieM
     
    BernieM, Aug 28, 2006
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    1
    Views:
    3,022
  2. chellappa

    Inbound Proxy and Outbound Proxy

    chellappa, Apr 7, 2006, in forum: VOIP
    Replies:
    0
    Views:
    2,476
    chellappa
    Apr 7, 2006
  3. James Sleeman
    Replies:
    12
    Views:
    927
    joe_90
    Sep 19, 2004
  4. Replies:
    1
    Views:
    1,709
    alexd
    Feb 25, 2009
  5. Vincent
    Replies:
    0
    Views:
    474
    Vincent
    Mar 11, 2009
Loading...

Share This Page