access-list for inbound traffic blocks outbound traffic

[pendragon1]

I have the following config in a cisco 827 router and somehow it's not working. I'm missing something and I can't find the solution. Maybe someone can help me. What I want to acchieve is: from inside any access to the internet and from outside only specific hosts access to specific ports (10000 and 10001). As soon as I apply the below config the restriction for ports 10000 and 10001 work fine, but access to the internet from inside is also blocked. We tried using only 1 access-group (101) on dialer1, but also 1 on dialer1 (ip access-group 101 in) and 1 on ethernet0 (ip access-group 102 in) but this also doesn't work. I hope someone can give me the right config.

Thanks in advance!

Andre

Config:

------------------ show running-config ------------------


Building configuration...

Current configuration : 3027 bytes
!
version 12.2
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname aldo
!
logging rate-limit console 10 except errors
enable secret 5 <removed>
!
username aldo password 7 <removed>
username CRWS_Kannan privilege 15 password 7 <removed>
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip name-server 195.121.1.34
ip name-server 195.121.1.66
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.1 192.168.1.159
ip dhcp excluded-address 192.168.1.181 192.168.1.254
ip dhcp excluded-address 192.168.1.100
!
ip dhcp pool CLIENT
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
domain-name <removed>
lease 0 2
!
no ip dhcp-client network-discovery
lcp max-session-starts 0
!
!
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip access-group 102 in
ip nat inside
hold-queue 32 in
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/48
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
bundle-enable
dsl operating-mode auto
!
interface Dialer1
ip address negotiated
ip access-group 101 in
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname <removed>
ppp chap password 7 141C1E1E0517202E74
ppp pap sent-username <removed> password 7 <removed>
ppp ipcp dns request
ppp ipcp wins request
hold-queue 224 in
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
!
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.100 5901 interface Dialer1 5901
ip nat inside source static tcp 192.168.1.100 5900 interface Dialer1 5900
ip nat inside source static tcp 192.168.1.100 5801 interface Dialer1 5801
ip nat inside source static tcp 192.168.1.100 5800 interface Dialer1 5800
ip nat inside source static tcp 192.168.1.100 14001 interface Dialer1 14001
ip nat inside source static tcp 192.168.1.100 14000 interface Dialer1 14000
ip nat inside source static tcp 192.168.1.100 10001 interface Dialer1 10001
ip nat inside source static tcp 192.168.1.100 10000 interface Dialer1 10000
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 permit tcp host <removed> any eq 10000
access-list 101 permit tcp host <removed> any eq 10001
access-list 101 permit tcp host <removed> any eq 10000
access-list 101 permit tcp host <removed> any eq 10001
access-list 101 permit tcp host <removed> any eq 10000
access-list 101 permit tcp host <removed> any eq 10001
access-list 101 permit tcp host <removed> any eq 14000
access-list 101 permit tcp host <removed> any eq 14001
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit

!
line con 0
exec-timeout 120 0
transport input none
stopbits 1
line vty 0 4
access-class 23 in
exec-timeout 120 0
login local
length 0
!
scheduler max-task-time 5000
end

 

[KiscoKid]

You only need

interface Dialer1
ip access-group 101 in

to control access to your network. You can bin the other access lists.

However, there is a catch. An access list does not recognise response traffic to traffic flows that have been initiated from inside the network. Thus you have to configure them such that responses to flows generated from the inside are also permitted.

For instance, any response to a TCP traffic flow that is initiated from the inside can be allowed back in using the following access list addition:

access-list 101 permit tcp any any eq established

Another example, if you want to see the response to ping from inside, you need to add the following:

access-list 101 permit icmp any any eq echo-reply

You can mitigate this by enabling your router as an IOS firewall and turning on something called Context Based Access Control (CBAC). The following URL goes into more detail about CBAC

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml

 

[pendragon1]

Unfortunately it doesn't work. As soon as I remove access-list 102 from the router internet access is denied. When I add your line

access-list 101 permit tcp any any eq established

and add the 'ip access-group 101 in' to dialer1. As soon as I add this line to dialer1 it blocks everything exept the access-list entries I created for port 10000 and 10001.

Is it possible for you to create a config list for me how it should be?

Thanks for your help!

Andre

 

[KiscoKid]

Aye I didn't make it absolutely clear I suppose but when you remove the access list you also have to remove the interface access-group that calls it. However the config I had in mind was something as follows:



interface Ethernet0
no ip access-group 102 in

access-list 101 permit tcp any any eq established
access-list 101 permit icmp any any eq echo-reply



To be honest, there could be a lot of other protocols that you need to allow access but may be affected to allow LAN users to work, e.g. DNS if it is hosted remotely. I've not put an access list entry in for UDP response traffic flows as it introduces a potential security risk in my opinion.

To allow UDP response traffic, you'd need something like:

access-list 101 permit udp any any gt 1023

But be VERY VERY careful with this command because this allows anyone on the Internet to talk to any LAN host on ports greater than 1023. Worst case scenation: A machine has been compromised and is accessible via a trojan listening on some random high UDP port. The above statement will allow anyone on the Internet to access this machine and potentially launch attacks against the rest of the internal network.

Personally I don't think router access lists cut it as a rigid, scalable Internet-edge protection mechanism. They're simply not flexible and where you try to make them flexible and accomodating, they can open a huge hole in your network.

I would personally consider deploying a dedicated firewall or, if money is tight, upgrade this 827 to a firewall IOS image and enable a feature called Context Based Access Control (CBAC)