Cisco 857 Outbound Firewall

[pam196]

Hi All,
I've been configuring a Cisco 857 router and am having trouble in allowing/blocking traffic outbound from the router. I have succesfully setup incoming port forwards and the traffic is allowed back out without problems. However any traffic originating on the LAN interfaces is blocked...somewhere. Could someone perhaps advise on where I've gone wrong here?

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
!
crypto pki trustpoint TP-self-signed-444318506
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-444318506
 revocation-check none
 rsakeypair TP-self-signed-444318506
!
!
crypto pki certificate chain TP-self-signed-444318506
 certificate self-signed 01 nvram:IOS-Self-Sig#18.cer
dot11 syslog
no ip dhcp use vrf connected
!
ip dhcp pool CLIENT
   import all
   network 192.168.200.0 255.255.255.0
   default-router 192.168.200.1
   lease 0 2
!
!
ip cef
ip inspect log drop-pkt
ip inspect name XXX appfw XXX
ip inspect name XXX icmp
ip inspect name XXX dns
ip inspect name XXX esmtp
ip inspect name XXX https
ip inspect name XXX imap reset
ip inspect name XXX pop3 reset
ip inspect name XXX tcp
ip inspect name XXX udp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip domain name xxxx.public
!
appfw policy-name XXX
!
password encryption aes
!
!
username xxx privilege 15 secret 5 $1$rjJE$DCbeqZjJY0P8h7LF5aEE3/
!
!
archive
 log config
  hidekeys
!
!
!
!
!
interface ATM0
 no ip address
 atm vc-per-vp 64
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 no ip mroute-cache
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 192.168.200.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Dialer0
 ip address negotiated
 ip access-group 101 in
 ip access-group 102 out
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname xxxx
 ppp chap password 7 1214064542591C09787A76
 ppp ipcp dns request
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.200.2 1812 interface Dialer0 1812
ip nat inside source static udp 192.168.200.2 1812 interface Dialer0 1812
ip nat inside source static tcp 192.168.200.2 1813 interface Dialer0 1813
ip nat inside source static udp 192.168.200.2 1813 interface Dialer0 1813
ip nat inside source static tcp 192.168.200.2 22 interface Dialer0 22
ip nat inside source static tcp 192.168.200.2 3307 interface Dialer0 3307
ip nat inside source static tcp 192.168.200.11 5900 interface Dialer0 5011
!
access-list 1 remark INSIDE_INTERFACE=Vlan1
access-list 1 permit 192.168.200.0 0.0.0.255
access-list 23 remark MANAGEMENT-ACL
access-list 101 permit tcp host xxx.xxx.xxx.xxx any eq 22
access-list 101 permit tcp host xxx.xxx.xxx.xxx any eq 3307
access-list 101 permit tcp any any eq 1812
access-list 101 permit udp any any eq 1812
access-list 101 permit tcp any any eq 1813
access-list 101 permit udp any any eq 1813
access-list 101 permit tcp host xxx.xxx.xxx.xxx any eq 5011
access-list 101 permit icmp host xxx.xxx.xxx.xxx any
access-list 101 permit tcp host xxx.xxx.xxx.xxx any eq telnet
access-list 102 permit ip any any
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
banner login ^C
ALL UNAUTHORISED ACCESS IS LOGGED
^C
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
end

I was under the impression that the access-list 102 would allow all traffic outbound? With the access-group 102 rule on, I cannot ping IP's or query DNS.

Cheers,
Phil

 

[pam196]

After a little further invesigation I believe traffic is allowed outbound, but not back in hence ICMP and DNS failures.

 

[ADB100]

You have configured IP Inspection but not applied it anywhere. With it configured like this only the traffic matching ACL 101 will be allowed in (radius, ssh, vnc? & TCP3307). Without the IP Inspection no return traffic that is initiated from the inside will be allowed back in.
Add the following to the dialer interface:

ip inspect XXX out

HTH

Andy

 

[pam196]

Hi Andy,

Many thanks for your reply. I changed the access-lists to extended access lists with reflexive rules on them which solved the majority of the outbound traffic issues, but still left me unable to send ICMP packets outbound (or recieve them back in). This is the updated configuration:

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
!
crypto pki trustpoint TP-self-signed-444318506
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-444318506
 revocation-check none
 rsakeypair TP-self-signed-444318506
!
!
crypto pki certificate chain TP-self-signed-444318506
 certificate self-signed 01 nvram:IOS-Self-Sig#18.cer
dot11 syslog
no ip dhcp use vrf connected
!
ip dhcp pool CLIENT
   import all
   network 192.168.200.0 255.255.255.0
   default-router 192.168.200.1
   lease 0 2
!
!
ip cef
ip inspect log drop-pkt
ip inspect name XXX appfw ECR
ip inspect name XXX icmp
ip inspect name XXX dns
ip inspect name XXX esmtp
ip inspect name XXX https
ip inspect name XXX imap reset
ip inspect name XXX pop3 reset
ip inspect name XXX tcp
ip inspect name XXX udp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip domain name mydomain.public
!
appfw policy-name XXX
!
password encryption aes
!
!
username xxx privilege 15 secret 5 $1$rjJE$DCbeqZjJY0P8h7LF5aEE3/
!
!
archive
 log config
  hidekeys
!
!
!
!
!
interface ATM0
 no ip address
 atm vc-per-vp 64
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 no ip mroute-cache
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 192.168.200.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Dialer0
 ip address negotiated
 ip access-group 101 in
 ip access-group outbound out
 ip inspect XXX out
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname xxx
 ppp chap password 7 1214064542591C09787A76
 ppp ipcp dns request
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.200.2 1812 interface Dialer0 1812
ip nat inside source static udp 192.168.200.2 1812 interface Dialer0 1812
ip nat inside source static tcp 192.168.200.2 1813 interface Dialer0 1813
ip nat inside source static udp 192.168.200.2 1813 interface Dialer0 1813
ip nat inside source static tcp 192.168.200.2 22 interface Dialer0 22
ip nat inside source static tcp 192.168.200.2 3307 interface Dialer0 3307
ip nat inside source static tcp 192.168.200.11 5900 interface Dialer0 5011
!
ip access-list extended outbound
 permit tcp any host zzz.zzz.zzz.zzz eq www
 deny   tcp any any eq www
 permit tcp any any reflect tcpsession
 permit udp any any reflect udpsession
 permit ip any any reflect ipsession
 permit icmp any any reflect icmpsession
!
access-list 1 remark INSIDE_INTERFACE=Vlan1
access-list 1 permit 192.168.200.0 0.0.0.255
access-list 23 remark MANAGEMENT-ACL
access-list 101 permit tcp host xxx.xxx.xxx.xxx any eq 22
access-list 101 permit tcp host xxx.xxx.xxx.xxx any eq 3307
access-list 101 permit tcp any any eq 1812
access-list 101 permit udp any any eq 1812
access-list 101 permit tcp any any eq 1813
access-list 101 permit udp any any eq 1813
access-list 101 permit tcp host xxx.xxx.xxx.xxx any eq 5011
access-list 101 permit icmp host xxx.xxx.xxx.xxx any
access-list 101 permit tcp host xxx.xxx.xxx.xxx any eq telnet
access-list 101 permit udp any eq domain any
access-list 101 permit icmp host yyy.xxx.xxx.xxx any
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
banner login ^C
ALL UNAUTHORISED ACCESS IS LOGGED
^C
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
end

I've added the inspection rule on the Dialer0 interface as you suggested, but as stated above, cannot send/recieve back ICMP packets (to be honest it doesnt appear to have made any difference, but that may be due to me now using reflexive rules). When I show access-lists, I can see the reflexive rules handling the traffic, but the icmp rule never hits - is this part of the problem? Other than this it is now working fine. The http outbound rules are to allow access to walled garden sites and block direct http access to anywhere else (all non-walled garden traffic is forced through a proxy). Externally if I ping into the router from an IP without explicit permission to, I get ICMP packet filtered responses - what would I need to do to simply drop any reply so time outs are reported back?
Cheers,
Phil