problems with inspect CBAC

Discussion in 'Cisco' started by Jog Dial, Oct 14, 2004.

  1. Jog Dial

    Jog Dial Guest

    Hi, I've nearly got my firewall and router basically working... I
    have a ciscso 2621 with 3 ethernet and 1 serial interfaces. I am
    currently using serial 0 for the internet connection, fastethernet 0/0
    for DMZ and fastehternet 0/1 for the internal lan which is nated to
    private. The DMZ has a /28 public addresses available. I have just
    set up test systems with one system on the LAN and a web server in the
    DMZ. So far I have enable all the functionality I need other than
    Internet access to the web server in the DMZ. I have posted the
    running-config below. I currently have to add an entry into my
    DMZ_ACL which allows all traffic from my webserver back out. I would
    rather use a CBAC rule to do this.. I would think that the DMZ_CBAC
    inspect would do this for me but it doesn't and I can't seem to debug
    this yet either... I knwo the packets are getting in as I can see them
    on my sniffer, but they aren't getting back out until I put the permit
    in as remarked in the config. I have also tried the DMZ_CBAC with an
    http inspect but that makes no difference and as far as I have read I
    think that the TCP cbac shuuld handle it... in any case, both, or
    either do not work... can anyone point out major flaws in this? I've
    taken IP numbers out as this isn't really secure yet and I don't want
    to broacast it .. but like all other connectivity is working ok...

    thanks in advance for any advice.

    !
    version 12.3
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    no service dhcp
    !
    hostname cw
    !
    boot-start-marker
    boot-end-marker
    !
    security authentication failure rate 10 log
    security passwords min-length 6
    logging buffered 4096 debugging
    logging console critical
    enable secret 5 secret
    enable password 7 password
    !
    username user secret 5 secret
    no network-clock-participate slot 1
    no network-clock-participate wic 0
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication login line none
    aaa authentication login vty local
    aaa authentication login exec enable
    aaa authentication login local_auth local
    aaa authorization exec default local
    aaa authorization commands 1 default local
    aaa accounting update newinfo
    aaa session-id common
    ip subnet-zero
    no ip source-route
    no ip gratuitous-arps
    ip cef
    !
    !
    ip inspect udp idle-time 20
    ip inspect dns-timeout 7
    ip inspect tcp idle-time 120
    ip inspect tcp synwait-time 15
    ip inspect name autosec_inspect cuseeme timeout 3600
    ip inspect name autosec_inspect ftp timeout 3600
    ip inspect name autosec_inspect http timeout 3600
    ip inspect name autosec_inspect rcmd timeout 3600
    ip inspect name autosec_inspect realaudio timeout 3600
    ip inspect name autosec_inspect smtp timeout 3600
    ip inspect name autosec_inspect tftp timeout 30
    ip inspect name autosec_inspect udp timeout 15
    ip inspect name autosec_inspect tcp timeout 3600
    ip inspect name internal_CBAC smtp audit-trail on
    ip inspect name internal_CBAC ftp
    ip inspect name internal_CBAC realaudio
    ip inspect name internal_CBAC tcp
    ip inspect name internal_CBAC udp
    ip inspect name internal_CBAC icmp
    ip inspect name DMZ_CBAC smtp audit-trail on
    ip inspect name DMZ_CBAC tcp
    ip inspect name DMZ_CBAC udp
    ip inspect name DMZ_CBAC icmp
    ip inspect name external_CBAC smtp audit-trail on
    ip inspect name external_CBAC ftp
    ip inspect name external_CBAC http
    ip inspect name external_CBAC realaudio
    ip inspect name external_CBAC tcp
    ip inspect name external_CBAC udp
    ip inspect name external_CBAC icmp
    !
    !
    ip ips po max-events 100
    no ip bootp server
    no ip domain lookup
    ip domain name emtex.com
    ip ssh time-out 60
    ip ssh authentication-retries 2
    login block-for 600 attempts 3 within 400
    no ftp-server write-enable
    !
    !
    !
    archive
    log config
    logging enable
    !
    !
    controller E1 0/0
    channel-group 0 timeslots 1-31 speed 64
    !
    !
    !
    !
    interface FastEthernet0/0
    description DMZ
    ip address xxx.xxx.xxx.xxx 255.255.255.240
    ip access-group DMZ_ACL in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip inspect DMZ_CBAC in
    duplex auto
    speed auto
    no cdp enable
    no mop enabled
    !
    interface Serial0/0:0
    description Internet
    ip address xxx.xxx.xxx.xxx 255.255.255.252
    ip access-group external_ACL in
    ip verify unicast source reachable-via rx allow-default 100
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip virtual-reassembly
    !
    interface FastEthernet0/1
    description Internal Network
    ip address 10.50.254.254 255.255.0.0
    ip access-group internal_ACL in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip inspect internal_CBAC in
    ip nat inside
    ip virtual-reassembly
    speed auto
    half-duplex
    no cdp enable
    no mop enabled
    !
    interface Ethernet1/0
    no ip address
    ip access-group autosec_complete_bogon in
    ip verify unicast source reachable-via rx allow-default 100
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip inspect autosec_inspect out
    shutdown
    half-duplex
    no cdp enable
    no mop enabled
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 Serial0/0:0
    ip route xxx.xxx.xxx.xxx 255.255.255.240 FastEthernet0/0
    no ip http server
    no ip http secure-server
    ip nat inside source list 1 interface Serial0/0:0 overload
    !
    ip access-list extended DMZ_ACL
    permit tcp host xxx.xxx.xxx.xxx any eq smtp
    permit tcp host xxx.xxx.xxx.xxx any eq domain
    permit icmp host xxx.xxx.xxx.xxx any
    permit tcp host xxx.xxx.xxx.xxx any eq www
    remark have to put this in currently or won't let http proto from
    server back out
    permit tcp host xxx.xxx.xxx.xxx any
    ip access-list extended autosec_complete_bogon
    deny ip 1.0.0.0 0.255.255.255 any
    deny ip 2.0.0.0 0.255.255.255 any
    deny ip 5.0.0.0 0.255.255.255 any
    deny ip 7.0.0.0 0.255.255.255 any
    deny ip 23.0.0.0 0.255.255.255 any
    deny ip 27.0.0.0 0.255.255.255 any
    deny ip 31.0.0.0 0.255.255.255 any
    deny ip 36.0.0.0 0.255.255.255 any
    deny ip 37.0.0.0 0.255.255.255 any
    deny ip 39.0.0.0 0.255.255.255 any
    deny ip 41.0.0.0 0.255.255.255 any
    deny ip 42.0.0.0 0.255.255.255 any
    deny ip 49.0.0.0 0.255.255.255 any
    deny ip 50.0.0.0 0.255.255.255 any
    deny ip 58.0.0.0 0.255.255.255 any
    deny ip 59.0.0.0 0.255.255.255 any
    deny ip 60.0.0.0 0.255.255.255 any
    deny ip 70.0.0.0 0.255.255.255 any
    deny ip 71.0.0.0 0.255.255.255 any
    deny ip 72.0.0.0 0.255.255.255 any
    deny ip 73.0.0.0 0.255.255.255 any
    deny ip 74.0.0.0 0.255.255.255 any
    deny ip 75.0.0.0 0.255.255.255 any
    deny ip 76.0.0.0 0.255.255.255 any
    deny ip 77.0.0.0 0.255.255.255 any
    deny ip 78.0.0.0 0.255.255.255 any
    deny ip 79.0.0.0 0.255.255.255 any
    deny ip 83.0.0.0 0.255.255.255 any
    deny ip 84.0.0.0 0.255.255.255 any
    deny ip 85.0.0.0 0.255.255.255 any
    deny ip 86.0.0.0 0.255.255.255 any
    deny ip 87.0.0.0 0.255.255.255 any
    deny ip 88.0.0.0 0.255.255.255 any
    deny ip 89.0.0.0 0.255.255.255 any
    deny ip 90.0.0.0 0.255.255.255 any
    deny ip 91.0.0.0 0.255.255.255 any
    deny ip 92.0.0.0 0.255.255.255 any
    deny ip 93.0.0.0 0.255.255.255 any
    deny ip 94.0.0.0 0.255.255.255 any
    deny ip 95.0.0.0 0.255.255.255 any
    deny ip 96.0.0.0 0.255.255.255 any
    deny ip 97.0.0.0 0.255.255.255 any
    deny ip 98.0.0.0 0.255.255.255 any
    deny ip 99.0.0.0 0.255.255.255 any
    deny ip 100.0.0.0 0.255.255.255 any
    deny ip 101.0.0.0 0.255.255.255 any
    deny ip 102.0.0.0 0.255.255.255 any
    deny ip 103.0.0.0 0.255.255.255 any
    deny ip 104.0.0.0 0.255.255.255 any
    deny ip 105.0.0.0 0.255.255.255 any
    deny ip 106.0.0.0 0.255.255.255 any
    deny ip 107.0.0.0 0.255.255.255 any
    deny ip 108.0.0.0 0.255.255.255 any
    deny ip 109.0.0.0 0.255.255.255 any
    deny ip 110.0.0.0 0.255.255.255 any
    deny ip 111.0.0.0 0.255.255.255 any
    deny ip 112.0.0.0 0.255.255.255 any
    deny ip 113.0.0.0 0.255.255.255 any
    deny ip 114.0.0.0 0.255.255.255 any
    deny ip 115.0.0.0 0.255.255.255 any
    deny ip 116.0.0.0 0.255.255.255 any
    deny ip 117.0.0.0 0.255.255.255 any
    deny ip 118.0.0.0 0.255.255.255 any
    deny ip 119.0.0.0 0.255.255.255 any
    deny ip 120.0.0.0 0.255.255.255 any
    deny ip 121.0.0.0 0.255.255.255 any
    deny ip 122.0.0.0 0.255.255.255 any
    deny ip 123.0.0.0 0.255.255.255 any
    deny ip 124.0.0.0 0.255.255.255 any
    deny ip 125.0.0.0 0.255.255.255 any
    deny ip 126.0.0.0 0.255.255.255 any
    deny ip 197.0.0.0 0.255.255.255 any
    deny ip 201.0.0.0 0.255.255.255 any
    deny ip 10.0.0.0 0.255.255.255 any
    deny ip 172.16.0.0 0.15.255.255 any
    deny ip 192.168.0.0 0.0.255.255 any
    deny ip 224.0.0.0 15.255.255.255 any
    deny ip 240.0.0.0 15.255.255.255 any
    deny ip 0.0.0.0 0.255.255.255 any
    deny ip 169.254.0.0 0.0.255.255 any
    deny ip 192.0.2.0 0.0.0.255 any
    deny ip 127.0.0.0 0.255.255.255 any
    permit ip any any
    remark This acl might not be up to date. Visit
    www.iana.org/assignments/ipv4-address-space for update list
    ip access-list extended autosec_firewall_acl
    permit udp any any eq bootpc
    deny ip any any
    ip access-list extended autosec_iana_reserved_block
    deny ip 1.0.0.0 0.255.255.255 any
    deny ip 2.0.0.0 0.255.255.255 any
    deny ip 5.0.0.0 0.255.255.255 any
    deny ip 7.0.0.0 0.255.255.255 any
    deny ip 23.0.0.0 0.255.255.255 any
    deny ip 27.0.0.0 0.255.255.255 any
    deny ip 31.0.0.0 0.255.255.255 any
    deny ip 36.0.0.0 0.255.255.255 any
    deny ip 37.0.0.0 0.255.255.255 any
    deny ip 39.0.0.0 0.255.255.255 any
    deny ip 41.0.0.0 0.255.255.255 any
    deny ip 42.0.0.0 0.255.255.255 any
    deny ip 49.0.0.0 0.255.255.255 any
    deny ip 50.0.0.0 0.255.255.255 any
    deny ip 58.0.0.0 0.255.255.255 any
    deny ip 59.0.0.0 0.255.255.255 any
    deny ip 60.0.0.0 0.255.255.255 any
    deny ip 70.0.0.0 0.255.255.255 any
    deny ip 71.0.0.0 0.255.255.255 any
    deny ip 72.0.0.0 0.255.255.255 any
    deny ip 73.0.0.0 0.255.255.255 any
    deny ip 74.0.0.0 0.255.255.255 any
    deny ip 75.0.0.0 0.255.255.255 any
    deny ip 76.0.0.0 0.255.255.255 any
    deny ip 77.0.0.0 0.255.255.255 any
    deny ip 78.0.0.0 0.255.255.255 any
    deny ip 79.0.0.0 0.255.255.255 any
    deny ip 83.0.0.0 0.255.255.255 any
    deny ip 84.0.0.0 0.255.255.255 any
    deny ip 85.0.0.0 0.255.255.255 any
    deny ip 86.0.0.0 0.255.255.255 any
    deny ip 87.0.0.0 0.255.255.255 any
    deny ip 88.0.0.0 0.255.255.255 any
    deny ip 89.0.0.0 0.255.255.255 any
    deny ip 90.0.0.0 0.255.255.255 any
    deny ip 91.0.0.0 0.255.255.255 any
    deny ip 92.0.0.0 0.255.255.255 any
    deny ip 93.0.0.0 0.255.255.255 any
    deny ip 94.0.0.0 0.255.255.255 any
    deny ip 95.0.0.0 0.255.255.255 any
    deny ip 96.0.0.0 0.255.255.255 any
    deny ip 97.0.0.0 0.255.255.255 any
    deny ip 98.0.0.0 0.255.255.255 any
    deny ip 99.0.0.0 0.255.255.255 any
    deny ip 100.0.0.0 0.255.255.255 any
    deny ip 101.0.0.0 0.255.255.255 any
    deny ip 102.0.0.0 0.255.255.255 any
    deny ip 103.0.0.0 0.255.255.255 any
    deny ip 104.0.0.0 0.255.255.255 any
    deny ip 105.0.0.0 0.255.255.255 any
    deny ip 106.0.0.0 0.255.255.255 any
    deny ip 107.0.0.0 0.255.255.255 any
    deny ip 108.0.0.0 0.255.255.255 any
    deny ip 109.0.0.0 0.255.255.255 any
    deny ip 110.0.0.0 0.255.255.255 any
    deny ip 111.0.0.0 0.255.255.255 any
    deny ip 112.0.0.0 0.255.255.255 any
    deny ip 113.0.0.0 0.255.255.255 any
    deny ip 114.0.0.0 0.255.255.255 any
    deny ip 115.0.0.0 0.255.255.255 any
    deny ip 116.0.0.0 0.255.255.255 any
    deny ip 117.0.0.0 0.255.255.255 any
    deny ip 118.0.0.0 0.255.255.255 any
    deny ip 119.0.0.0 0.255.255.255 any
    deny ip 120.0.0.0 0.255.255.255 any
    deny ip 121.0.0.0 0.255.255.255 any
    deny ip 122.0.0.0 0.255.255.255 any
    deny ip 123.0.0.0 0.255.255.255 any
    deny ip 124.0.0.0 0.255.255.255 any
    deny ip 125.0.0.0 0.255.255.255 any
    deny ip 126.0.0.0 0.255.255.255 any
    deny ip 197.0.0.0 0.255.255.255 any
    deny ip 201.0.0.0 0.255.255.255 any
    permit ip any any
    remark This acl might not be up to date. Visit
    www.iana.org/assignments/ipv4-address-space for update list
    ip access-list extended autosec_private_block
    deny ip 10.0.0.0 0.255.255.255 any
    deny ip 172.16.0.0 0.15.255.255 any
    deny ip 192.168.0.0 0.0.255.255 any
    permit ip any any
    ip access-list extended external_ACL
    permit tcp any host xxx.xxx.xxx.xxx eq 22
    permit icmp any host xxx.xxx.xxx.xxx
    permit tcp any host xxx.xxx.xxx.xxx eq www
    permit icmp any host xxx.xxx.xxx.xxx
    remark this is an empty access-list therefore there is no implied
    deny at the end. Block file sharing here
    ip access-list extended internal_ACL
    !
    logging trap debugging
    logging facility local2
    access-list 1 permit 10.50.100.50
    access-list 1 permit 10.50.0.0 0.0.255.255
    access-list 100 permit udp any any eq bootpc
    dialer-list 1 protocol ip permit
    no cdp run
    !
    !
    control-plane
    !
    !
    banner motd This system is the property of my company.
    UNAUTHORISED ACCESS TO THIS DEVICE IS PROHIBITED.
    You must have explicit permission to access this
    device. All activities performed on this device
    are logged and violations of this policy result in
    disciplinary, civil and criminal action.
    
    !
    line con 0
    exec-timeout 5 0
    login authentication local_auth
    transport output telnet
    line aux 0
    login authentication local_auth
    transport output telnet
    line vty 0 4
    access-class 1 in
    login authentication local_auth
    transport input ssh
    !
    !
    end
     
    Jog Dial, Oct 14, 2004
    #1
    1. Advertisements

  2. Jog Dial

    JLoaf Guest

    Jog Dial wrote:

    The DMZ_CBAC only inspects packets leaving the DMZ and puts entries for
    the returning packets on the serial interface. What you need is to put
    the external_CBAC on the s0/0 interface OR the f0/0 DMZ interface:

    interface FastEthernet0/0
    ip inspect external_CBAC out

    OR

    interface Serial0/0:0
    ip inspect external_CBAC in

    I think that should help.


    Jacek
     
    JLoaf, Oct 15, 2004
    #2
    1. Advertisements

  3. Jog Dial

    Jog Dial Guest



    It certainly did! I was starting to think along those lines, adding
    DMZ_CBAC actually in the out direction does exactly what I wanted it
    to do... I was following an example in the Cisco Press book: Cisco
    Router Firewall Security by Richard Deal which has been excellent
    aside from this error which I have emailed Cisco Press about. Thanks
    again for your help.
     
    Jog Dial, Oct 15, 2004
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.