Security Router access lists

[BobW333]

Help please.

We have a Cisco 2621 router acting as an interface between a VLAN switch and a firewall.
The requirement is that ALL traffic from the devices connected to VLANS on the switch is routed to the firewall.
This happens when the router to firewall Fast ethernet port is up (Fas0/0) but when its down, devices can talk from one VLAN to another.
I'm sure the problem is with the access-list somewhere but I don't know where??

Can you spot what I've done wrong?

Config:


interface FastEthernet0/0
description Connection to Firewall
ip address 192.168.100.18 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
description Connection to VLAN switch
no ip address
speed 100
full-duplex
!
interface FastEthernet0/1.1
description vlan 13 port 3
encapsulation dot1Q 13
ip address 192.168.101.17 255.255.255.252
ip access-group 101 in
no ip proxy-arp
ip policy route-map filter
!
interface FastEthernet0/1.2
description vlan 14 port 4
encapsulation dot1Q 14
ip address 192.168.102.17 255.255.255.252
ip access-group 101 in
no ip proxy-arp
ip policy route-map filter
!
interface FastEthernet0/1.3
description vlan 15 port 5
encapsulation dot1Q 15
ip address 192.168.103.17 255.255.255.252
ip access-group 101 in
no ip proxy-arp
ip policy route-map filter
!
interface FastEthernet0/1.4
description vlan 16 port 6
encapsulation dot1Q 16
ip address 192.168.104.17 255.255.255.252
ip access-group 101 in
no ip proxy-arp
ip policy route-map filter
!
interface FastEthernet0/1.5
description vlan 17 port 7
encapsulation dot1Q 17
ip address 192.168.105.17 255.255.255.252
ip access-group 101 in
no ip proxy-arp
ip policy route-map filter
!
interface FastEthernet0/1.6
description vlan 18 port 8
encapsulation dot1Q 18
ip address 192.168.106.17 255.255.255.252
ip access-group 101 in
no ip proxy-arp
ip policy route-map filter
!
interface FastEthernet0/1.7
description vlan 19 port 9
encapsulation dot1Q 19
ip address 192.168.107.17 255.255.255.252
ip access-group 101 in
no ip proxy-arp
ip policy route-map filter
!
interface FastEthernet0/1.8
description vlan 20 port 10
encapsulation dot1Q 20
ip address 192.168.108.17 255.255.255.252
ip access-group 101 in
no ip proxy-arp
ip policy route-map filter
!
interface FastEthernet0/1.9
description vlan 21 port 11
encapsulation dot1Q 21
ip address 192.168.109.17 255.255.255.252
ip access-group 101 in
no ip proxy-arp
ip policy route-map filter
!
interface FastEthernet0/1.10
description vlan 22 port 12
encapsulation dot1Q 22
ip address 192.168.110.17 255.255.255.252
ip access-group 101 in
no ip proxy-arp
ip policy route-map filter
!
ip classless
ip route 0.0.0.0 0.0.0.0 Null0
no ip http server
!
access-list 50 permit 0.0.0.2 255.255.255.252
access-list 101 deny ip any host 192.168.100.17
access-list 101 deny ip any host 192.168.100.18
access-list 101 deny ip any host 192.168.101.17
access-list 101 deny ip any host 192.168.102.17
access-list 101 deny ip any host 192.168.103.17
access-list 101 deny ip any host 192.168.104.17
access-list 101 deny ip any host 192.168.105.17
access-list 101 deny ip any host 192.168.106.17
access-list 101 deny ip any host 192.168.107.17
access-list 101 deny ip any host 192.168.108.17
access-list 101 deny ip any host 192.168.109.17
access-list 101 deny ip any host 192.168.110.17
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 169.254.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 permit ip any any
no cdp run
route-map filter permit 10
match ip address 50
set ip next-hop 192.168.100.17
!
!
dial-peer cor custom
!
!
!

 

[Iainh]

I don't think the problem is with your ACL's as such but with the route-map, next hop address, and default route.

When the interface is down the next hop address is on a network which the router has no route too. At this point I am not exactly sure of the behaviour of the device. However looking at it and the way you describe the issue a guess would be it ignores the next hop if it cant get to it and then forwards the packets based upon standard routing i.e. they are all connected interfaces. As the ACL's are all looking at inbound traffic, traffice from network to the interface there is no match.

Are you running NAT on the FW and could you therefore put additional ACL's outgoing on the interfaces blocking traffic to the VLAN from any oter VLAN other than the FW one?

 

[Nettekkie1010]

When Fast0/0 is up your policy filter is active, routes all traffic to the firewall, and you have met your requirements. When Fast0/0 is down your policy filter is no longer valid and fails.

In that situation the only thing left to prevent traffic from escaping the VLAN is the access-list. What are the host ranges on your VLANS? I would assume them to be the last four ranges in access-list 101 but may not be. I say that because: if you have the VLAN subnets properly entered in access-list 101 it should prevent the escape of traffic. You say it isn't doing that so the subnet ranges are suspect.

Haveagoodun!
Nettekkie

 

[BobW333]

Thanks both, this is where I was going too.

There is one server per VLAN configured with and IP address of 192.168.xxx.18 and a mask of 255.255.255.252 and a default gateway of 192.168.xxx.17 which is the routers sub interface for that VLAN.

Is there a way to dump ALL traffic if the firewall connection drops?

 

[Nettekkie1010]

Seems to me then that you should have the x.x.x.18 addresses in the access-list.

Nettekkie1010