Create an ACL that allows WWW traffic to enter the external interface and no other traffic unless it is return traffic generated within the inside network. The return traffic can be UDP, TCP, and IP. You cannot use the keyword "established".
F0/0 - Inside
F0/1 - Outside
Exploring the Splunk Web Interface | Major Features and Preferences Welcome
to this in-depth guide to the Splunk Web interface! In this video, we
explore...
3 months ago
3 comments:
CBAC:
R1 R2 R3
ip inspect name CBAC_ALL_return http
ip inspect name CBAC_ALL_return telnet
interface Serial0/0
ip address 23.23.23.2 255.255.255.0
ip access-group CBAC_ALLOW_WWW_DENY_ANY in
ip inspect CBAC_ALL_return out
ip access-list extended CBAC_ALLOW_WWW_DENY_ANY
permit tcp any any eq www
deny ip any any
R1#telnet 3.3.3.3
Trying 3.3.3.3 ... Open
Password required, but none set
[Connection to 3.3.3.3 closed by foreign host]
R1#telnet 3.3.3.3 80
Trying 3.3.3.3, 80 ... Open
R2#sh ip inspect sessions
Established Sessions
Session 668EFD3C (12.12.12.1:12863)=>(3.3.3.3:23) telnet SIS_OPEN
R2#sh ip inspect sessions
Established Sessions
Session 668EFD3C (12.12.12.1:54300)=>(3.3.3.3:80) http SIS_OPEN
R3#ping 12.12.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.12.12.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R3#telnet 12.12.12.1
Trying 12.12.12.1 ...
% Destination unreachable; gateway or host down
R3#telnet 12.12.12.1 80
Trying 12.12.12.1, 80 ... Open
This will not meet the requirement but feel free to add additional information clarifying.
Here is the requirement that I am referring to "The return traffic can be UDP, TCP, and IP"
This has added some great discussion on whether CBAC would meet the requirement. CBAC does not allow specifically "IP" but allows "TCP" and "UDP". The discussion centers around IP and whether or not reflexive ACL would be the better choice. For example, IP has to be allowed based on the requirement and if IP protocol 50/51 (which can not be determined)were required than CBAC does not specifically allow IP and reflexive does. (whether or not IP protocol 50/51 works is irrelevant as you met the requirement by adding IP) -- Would be nice to know.
Here is what I had as an answer
ip access-list extended INBOUND
permit tcp any any eq www
evaluate REPLY
ip access-list extended OUTBOUND
permit tcp any any reflect REPLY
permit udp any any reflect REPLY
permit ip any any reflect REPLY
!
interface FastEthernet0/1
description Outside
ip address 10.0.1.2 255.255.255.0
ip access-group INBOUND in
ip access-group OUTBOUND out
duplex auto
speed auto
no keepalive
interestingly enough Jason and I had similar solutions using reflexive ACL's which I'm pretty sure would satisfy the requirement. I also came up with a CBAC config as well but as Jason pointed out there is no "ip inspect ip" :)
Here are my solutions to the question
1) Reflexive
access-list 101 permit tcp any any eq www
access-list 101 deny ip any any log
ip inspect name FWrule tcp
ip inspect name FWrule udp
ip inspect name FWRule tcp router-traffic
ip inspect name FWRule udp router-traffic
int fa0/1
ip inspect FWrule out
ip access-group 101 in
2) CBAC
access-list 101 permit tcp any any eq www
access-list 101 deny ip any any
deny ip any any log
ip inspect name FWrule tcp
ip inspect name FWrule udp
ip inspect name FWRule tcp router-traffic
ip inspect name FWRule udp router-traffic
int fa0/1
ip inspect FWrule out
ip access-group 101 in
Post a Comment