I'm confused (Cisco)

CliffyG · 7 Oct 2009 at 17:37

I have a Cisco 857w which works fine unless i apply an access list. The access list is incoming only yet when i apply it it stops all sorts of things from working. Ventrillo can't communicate with the server, Heroes of Newerth cant see the server list, pings don't work. I have a syslog running and see nothing at all when these things dont work. Vent and HoN both list the problems as outoing. Everything on the access list works fine though.

Here's how i apply the access list:

interface Dialer0
ip access-group WAN-IN in

And this is the access list:

ip access-list extended WAN-IN
remark VPN from office
permit udp host 217.33.###.### eq 4500 host 77.107.###.###
permit udp host 217.33.###.### eq 500 host 77.107.###.###
permit udp host 217.33.###.### eq 259 host 77.107.###.###
permit udp host 81.145.###.### eq 4500 host 77.107.###.###
permit udp host 81.145.###.### eq 500 host 77.107.###.###
remark VNC
permit tcp host 217.33.###.### host 77.107.###.### eq 55896
permit udp host 217.33.###.### host 77.107.###.### eq 55896
remark Torrent uses TCP and UDP
permit tcp any host 77.107.###.### eq 55897
permit udp any host 77.107.###.### eq 55897
remark Established
permit tcp any host 77.107.###.### established
remark DNS
permit udp host 194.72.0.98 eq domain host 77.107.###.###
permit udp host 194.74.65.68 eq domain host 77.107.###.###
remark NTP
permit udp any host 77.107.###.### eq ntp
remark Log Other
deny ip any any log

I've set it to debug all yet still see nothing in it when things aren't working. Is there something wrong with the list, how i've applied it or even something i need to set which makes the syslog send more?

Any suggestions?

Syngress · 7 Oct 2009 at 19:05

The ACL will block ALL incoming traffic other than those you have explicitly allowed, all other traffic is going to be blocked, so seeing as you haven't allowed return traffic from Ventrillo it will be blocked.

If you configure IP Inspect as well as an ACL then this will allow traffic back in for sessions that you have started.....

CliffyG · 7 Oct 2009 at 19:28

Thats what this does:

remark Established
permit tcp any host 77.107.###.### established

Plus my syslogs aren't showing anything being blocked incoming.

CliffyG · 9 Oct 2009 at 17:19

Hopeful bump

Syngress · 9 Oct 2009 at 18:50

CliffyG said:
Thats what this does:

remark Established
permit tcp any host 77.107.###.### established

Plus my syslogs aren't showing anything being blocked incoming.

Opps my bad, missed that line

I assume you have checked that the problem is being caused by the ACL - Granted it deffo does sound like it is, but try removing the ACL just to make 100% (Guessing you already will have tried that as well though)

CliffyG · 9 Oct 2009 at 18:55

Yeah i removed the ACL and everthing starts working again. I just don't understand it as everything being blocked by it gets logged. Yet these outbound issues don't get logged at all.

Tui · 10 Oct 2009 at 00:35

Syngress is right, return traffic is being blocked.

permit tcp ... established applies only to TCP and won't handle return traffic for your other outgoing connections. You need to have entries to explicitly allow UDP, for example, similar to that listed for DNS and NTP.

The best solution is to use CBAC, as suggested, with IP inspect rules for outgoing traffic and this will dynamically change the incoming ACL to allow return traffic for at least TCP and UDP. Later versions of IOS also support ICMP.

CliffyG · 10 Oct 2009 at 00:51

Thanks, but I have no idea how to set any of that up!

Tui · 10 Oct 2009 at 09:11

Read all about it here:
http://www.cisco.com/en/US/docs/ios...tainer_external_docbase_0900e4b1807afcc8.html

In addition to your access-list allowing explicit inbound traffic traffic, you add inspect entries for outgoing traffic.

For example:

ip inspect name WAN-OUT ftp
ip inspect name WAN-OUT icmp router-traffic
ip inspect name WAN-OUT tcp router-traffic
ip inspect name WAN-OUT udp router-traffic
ip inspect name WAN-OUT ntp
ip inspect name WAN-OUT dns
ip inspect name WAN-OUT isakmp
ip inspect name WAN-OUT ipsec-msft
ip inspect name WAN-OUT sip

interface Dialer0
ip inspect WAN-OUT out

Depending on your IOS version, you may not be able to do ICMP, or have the router-traffic option, in which case you'll need to configure the access-list to suit.

CliffyG · 10 Oct 2009 at 09:59

Cheers i shall have a read, how do i know what my IOS supports? I presume the dns, vpn and ntp entries you listed would negate the need of it on the incoming access list?

EDIT

Have done added what you linked earlier (minus sip) and it appears to be working ok now, thanks a lot

. Just to clarify though: I presume the dns, vpn and ntp entries you listed would negate the need of it on the incoming access list?

Rich · 10 Oct 2009 at 12:48

Not if you need inbound access. IP Inspect/CBAC inspects your outbound connections and dynamically allows the return traffic. If somebody is connecting in to your router then the ACL will be needed.

If you just need VPN client access out then you should not need the ACL entry.

Personally I set up inspect for TCP, UDP and ICMP and do not bother setting up individual inspection for apps/protocols.

CliffyG · 10 Oct 2009 at 14:10

Excellent, thanks again

.

CliffyG · 10 Oct 2009 at 15:00

1 more question, how come i wasnt seeing anything get blocked in the syslog?

Rich · 10 Oct 2009 at 19:31

Difficult to say without seeing the rest of the config. Would need to know what the logging setup is like.

Tui · 10 Oct 2009 at 19:45

For the lack of syslog messages, enter;
show logging

and look at Trap logging. The level should be at least 6 (informational or debugging) and should have the correct host IP address/port used and link status as up.