Cisco IOS Firewall + ISA 2006 = Headache

gorebrush · April 2010

OK So here is what I'm trying to setup

We recently had a router failure, so I was able to install a Cisco 877 in place of the crappy thing given to us by our service provider.

Here's the setup

CORPORATE NETWORK ---> ISA 2006 ---> Cisco 877 Router
...................................................... Wireless Access Points
.....................................................GUEST WIRELESS NETWORK

So I hope this crude representation is ok.

Basically, I want to configure a basic IOS Firewall on the Cisco 877 which allows only HTTP traffic through for people on the Corporate network

And then protect everything in the GUEST network from the internet.

Between the ISA box and Cisco 877, everything is 192.168.1.x

So ISA sits on 192.168.1.101
GUEST Wireless is DHCP'ed from the Cisco 877 for 192.168.1.201 -> 192.168.1.249

So all Guest clients can get straight to the internet, and then the ISA box protects the internal network. I suppose it is like a DMZ, but I dont want access from outside to anything inside.

The problem I've got is configuring the firewall on the Cisco 877 so it still allows ISA to work.

The way our ISP works is that we have a static pool of IP addresses on the internet, so to get that working I have basically done a NAT Translation for our ISA box for one of the IP's outside (so straight translation, and the firewall is looking after the corp network)

But no matter how I seem to configure the Cisco 877, I end up denying access to the internet for anything on the ISA server.

Any ideas?

Bl8ckr0uter · April 2010

gorebrush wrote: »

OK So here is what I'm trying to setup

We recently had a router failure, so I was able to install a Cisco 877 in place of the crappy thing given to us by our service provider.

Here's the setup

CORPORATE NETWORK ---> ISA 2006 ---> Cisco 877 Router
...................................................... Wireless Access Points
.....................................................GUEST WIRELESS NETWORK

So I hope this crude representation is ok.

Basically, I want to configure a basic IOS Firewall on the Cisco 877 which allows only HTTP traffic through for people on the Corporate network

And then protect everything in the GUEST network from the internet.

Between the ISA box and Cisco 877, everything is 192.168.1.x

So ISA sits on 192.168.1.101
GUEST Wireless is DHCP'ed from the Cisco 877 for 192.168.1.201 -> 192.168.1.249

So all Guest clients can get straight to the internet, and then the ISA box protects the internal network. I suppose it is like a DMZ, but I dont want access from outside to anything inside.

The problem I've got is configuring the firewall on the Cisco 877 so it still allows ISA to work.

The way our ISP works is that we have a static pool of IP addresses on the internet, so to get that working I have basically done a NAT Translation for our ISA box for one of the IP's outside (so straight translation, and the firewall is looking after the corp network)

But no matter how I seem to configure the Cisco 877, I end up denying access to the internet for anything on the ISA server.

Any ideas?

ACL issue maybe? Is it possible to post you configs/acl's for the cisco box?

mikem2te · April 2010

gorebrush wrote: »

OK So here is what I'm trying to setup

We recently had a router failure, so I was able to install a Cisco 877 in place of the crappy thing given to us by our service provider.

Here's the setup

CORPORATE NETWORK ---> ISA 2006 ---> Cisco 877 Router
...................................................... Wireless Access Points
.....................................................GUEST WIRELESS NETWORK

So I hope this crude representation is ok.

Basically, I want to configure a basic IOS Firewall on the Cisco 877 which allows only HTTP traffic through for people on the Corporate network

And then protect everything in the GUEST network from the internet.

Between the ISA box and Cisco 877, everything is 192.168.1.x

So ISA sits on 192.168.1.101
GUEST Wireless is DHCP'ed from the Cisco 877 for 192.168.1.201 -> 192.168.1.249

So all Guest clients can get straight to the internet, and then the ISA box protects the internal network. I suppose it is like a DMZ, but I dont want access from outside to anything inside.

The problem I've got is configuring the firewall on the Cisco 877 so it still allows ISA to work.

The way our ISP works is that we have a static pool of IP addresses on the internet, so to get that working I have basically done a NAT Translation for our ISA box for one of the IP's outside (so straight translation, and the firewall is looking after the corp network)

But no matter how I seem to configure the Cisco 877, I end up denying access to the internet for anything on the ISA server.

Any ideas?

Ah, fellow Welsh man. We had something similar at the brewery, ISA protecting the LAN with an external router performing NAT on a sort of DMZ. It worked but there was some double NAT thing going which caused loads of annoyances so eventually we routed the static pool of IP address in to the DMZ and tidied it up.

Is your ISA configured to route or NAT, that would make a difference to your ACLs, also what type of firewall are you trying to configure, ACLs, CBAC etc?

I find creating explicit deny statements on the bottom of ACLs rather than relying on the implicit deny is useful, the number of matches then show up when you do a 'show ip access-lists', it helps identifying where the packets are getting blocked if you have multiple ACLs' configured eg both inbound and outbound.

EDIT : If you need any consultancy I'm cheap

notgoing2fail · April 2010

Sorry for this dumb question, but what is an ISA 2006?

mikem2te · April 2010

notgoing2fail wrote: »

Sorry for this dumb question, but what is an ISA 2006?

It is Microsoft 's security proxy server-

Internet Security and Acceleration Server: Home page

gorebrush · April 2010

/tips hat to fellow Welsh man.

To answer your questions

1. ISA Route or NAT - It is performing NAT from Local Networks out to Remote Network

I think this is where the problem occurs, I have no problem with dual NAT myself, but I think this is where my configuration is getting unstuck

Would I be better off getting ISA to route?

2. ACL or CBAC

I was hoping to configure just CBAC - i.e. open the protocols outwards such as HTTP/HTTPS/FTP etc only - the documentation in the exam guides then say to apply a tough ACL the other way.

Am I missing something - sure hope not as my exam is Monday, and I will be looking somewhat foolish

Bl8ckr0uter · April 2010

gorebrush wrote: »

/tips hat to fellow Welsh man.

To answer your questions

1. ISA Route or NAT - It is performing NAT from Local Networks out to Remote Network

I think this is where the problem occurs, I have no problem with dual NAT myself, but I think this is where my configuration is getting unstuck

Would I be better off getting ISA to route?

2. ACL or CBAC

I was hoping to configure just CBAC - i.e. open the protocols outwards such as HTTP/HTTPS/FTP etc only - the documentation in the exam guides then say to apply a tough ACL the other way.

Am I missing something - sure hope not as my exam is Monday, and I will be looking somewhat foolish

I think Zone based might be better for this particular setup. CBAC was kind of difficult to set up well (at least for me).

You could run the SDM on this thing and set up zone based firewalls in 30 minutes.

mikem2te · April 2010

gorebrush wrote: »

/tips hat to fellow Welsh man.

To answer your questions

1. ISA Route or NAT - It is performing NAT from Local Networks out to Remote Network

I think this is where the problem occurs, I have no problem with dual NAT myself, but I think this is where my configuration is getting unstuck

Would I be better off getting ISA to route?

2. ACL or CBAC

I was hoping to configure just CBAC - i.e. open the protocols outwards such as HTTP/HTTPS/FTP etc only - the documentation in the exam guides then say to apply a tough ACL the other way.

Am I missing something - sure hope not as my exam is Monday, and I will be looking somewhat foolish

I think you need to explicitly define an inward ACL to allow CBAC to allow return traffic.

I'm going to have a play, I have an 2801 running with a CBAC firewall here at home running my internet connection. Also I just remembered I have ISA 2006 configured up on a Hyper-V VM, I'll fire it up!!

mikem2te · April 2010

knwminus wrote: »

I think Zone based might be better for this particular setup. CBAC was kind of difficult to set up well (at least for me).

You could run the SDM on this thing and set up zone based firewalls in 30 minutes.

I like Zone based firewalls but I hate an SDM configured ZBFW from an administration point of view.

Bl8ckr0uter · April 2010

mikem2te wrote: »

I think you need to explicitly define an inward ACL to allow CBAC to allow return traffic.

This is correct.

mikem2te · April 2010

mikem2te wrote: »

I think you need to explicitly define an inward ACL to allow CBAC to allow return traffic.

I'm going to have a play, I have an 2801 running with a CBAC firewall here at home running my internet connection. Also I just remembered I have ISA 2006 configured up on a Hyper-V VM, I'll fire it up!!

Well, I had a play and I'd like to say I did something magic to get it to work but I didn't, it just worked. ISA was configured to NAT and I confirmed ISA was natting by inspecting the NAT table on the router, it showed a translation coming from the ISA server when my internal host pinged 4.2.2.2.

Snipets from the routers config-

ip inspect name firewall icmp
ip inspect name firewall dns
ip inspect name firewall http
ip inspect name firewall https
ip inspect name firewall smtp
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall ftp
ip inspect name firewall sip




interface FastEthernet0/1
 description OUTSIDE$ETH-WAN$$FW_OUTSIDE$
 ip address X.X.X.X 255.255.255.248
 ip access-group 101 in
 ip access-group 102 out
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip inspect firewall out
 ip virtual-reassembly
 duplex auto
 speed auto
 snmp trap ip verify drop-rate
 no cdp enable
 no mop enabled




interface Vlan1
 description $FW_INSIDE$
 ip address X.X.X.X 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
!


access-list 100 remark Internal outbound fraffic
access-list 100 permit ip 10.0.0.0 0.255.255.255 any
access-list 100 permit ip 172.16.0.0 0.0.255.255 any
access-list 100 permit udp any any eq bootps
access-list 100 deny   ip any any log

access-list 101 permit icmp any host X.X.X.X echo-reply
access-list 101 deny   ip 0.0.0.0 0.255.255.255 any
access-list 101 deny   ip any any

access-list 102 deny   ip any 10.0.0.0 0.255.255.255
access-list 102 deny   ip any 172.16.0.0 0.15.255.255
access-list 102 deny   ip any 192.168.0.0 0.0.255.255
access-list 102 permit ip any any

gorebrush · April 2010

mikem2te wrote: »

I think you need to explicitly define an inward ACL to allow CBAC to allow return traffic.

I did this...

Under my interface Dialer1 I had: -

ip access-group OUTSIDE_IN in

and then this was configured as below: -

ip access-list extended OUTSIDE_IN
permit ip any host <external static IP address>

I even tried
permit ip any host <IP> established

and that didnt work

and then under interface VLAN1
ip inspect FW in

this was setup as below: -

ip inspect FW http
ip inspect FW https

etc

I'll paste the configuration up tomorrow, but thanks for your help so far peoples... I think I must be missing something bloody obvious.

HOWEVER - is the configuration of CBAC basically a ip inspect <name> <protocol> and a relevant ACL ??

mikem2te · April 2010

Must be something obvious in ther somewhere.

gorebrush wrote: »

HOWEVER - is the configuration of CBAC basically a ip inspect <name> <protocol> and a relevant ACL ??

Yeah, create the ip inspect statements, apply it to an interface using the command 'ip inspect <name> <in or out>' then create the inbound acl.

Post or PM me the config, I have an 877 and ISA in my lab, I'll test it.

gorebrush · April 2010

As promised: -

Note - the 217.40.xx.xx address is one of a pool of 6 that I've got. So far I have a direct NAT translation mapping 192.168.1.101 to one of these external IP's (as shown below) and so far this works fine, once I enable an ACL though, it all goes to pot.

!
! Last configuration change at 15:18:10 BST Wed Apr 7 2010 by david
! NVRAM config last updated at 13:26:54 BST Wed Apr 7 2010 by david
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROC-MA-INTERNET
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
!
!
clock summer-time BST recurring
!
crypto pki trustpoint TP-self-signed-560339304
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-560339304
 revocation-check none
 rsakeypair TP-self-signed-560339304
!
!
<snip>


dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 192.168.1.64 192.168.1.255
!
ip dhcp pool GUEST
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.254
   dns-server 192.168.1.254
   lease 0 8
!
!
ip cef
ip domain name rocialle.local
ip name-server 194.72.0.114
ip name-server 62.6.40.162
ip inspect audit-trail
ip inspect name protect tcp
ip inspect name protect http java-list 10
ip inspect name protect udp
ip inspect name FW http alert on audit-trail on timeout 600
ip inspect name FW https alert on audit-trail on timeout 600
ip inspect name FW nntp alert on audit-trail on timeout 600
ip inspect name FW imap3 alert on audit-trail on timeout 600
ip inspect name FW imaps alert on audit-trail on timeout 600
ip inspect name FW tcp alert on audit-trail on timeout 600
ip inspect name FW ftp alert on audit-trail on timeout 600
ip inspect name FW time alert on audit-trail on timeout 600
ip inspect name FW ftps alert on audit-trail on timeout 600
ip inspect name FW pop3 alert on audit-trail on timeout 600
ip inspect name FW pop3s alert on audit-trail on timeout 600
ip inspect name FW udp alert on audit-trail on timeout 600
ip inspect name FW ntp alert on audit-trail on timeout 600
ip inspect name FW timed alert on audit-trail on timeout 600
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
archive
 log config
  hidekeys
vtp mode client
username David privilege 15 secret 5 $1$MJII$VQeek3gCWe4K5m3PhqDIY.
!
!
!
!
!
!
!
!
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no atm ilmi-keepalive
 !
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
 !
!
interface FastEthernet1
 !
!
interface FastEthernet2
 !
!
interface FastEthernet3
 !
!
interface Vlan1
 description INSIDE_INT
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 ip inspect FW in
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 !
!
interface Dialer1
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication pap chap callin
 ppp chap hostname B283051@
 ppp chap password 0 
 ppp pap sent-username B283051@
 ppp ipcp mask request
 ppp ipcp route default
 ppp ipcp address accept
 no cdp enable
 !
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip nat pool GUESTNAT 217.40.235.57 217.40.235.58 netmask 255.255.255.252
ip nat inside source static 192.168.1.101 217.40.235.61
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.8.8.0 255.255.254.0 192.168.1.101
ip route 172.16.0.0 255.255.0.0 192.168.1.101
ip route 172.16.4.0 255.255.255.0 192.168.1.101
ip route 172.16.8.0 255.255.255.0 192.168.1.101
!
ip access-list extended GUEST
ip access-list extended OUTSIDE_IN
 permit ip any host 217.40.xxx.xxx
!
no cdp run

!
!
!
!
!
control-plane
 !
!
banner motd ^CCC
*************************************
*** WARNING ** WARNING ** WARNING ***
*************************************

This system is monitored and any
access made by you will be logged

Your attept to use this sIf you are not an authorised user
please log out now.
^C
!
line con 0
 logging synchronous
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 logging synchronous
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
ntp logging
ntp master 2
ntp server ntp1.uk.uu.net
ntp server extntp0.inf.ed.ac.uk
ntp server ntp.cis.strath.ac.uk
end

gorebrush · April 2010

Ah-ha!

I've fixed it. ISA Server was telling me about DNS errors...

For some reason DNS requests were not getting through, so my OUTSIDE_IN rule now looks like this: -

ip access-list extended OUTSIDE_IN
permit ip any host 217.40.235.61
permit ip any host 192.168.1.101
permit ip host 194.72.0.114 any
permit ip host 62.6.40.162 any

And now it works...

Think I can ditch that 2nd line of the ACL though

gorebrush · April 2010

Some tweaking afterwards: -

Extended IP access list OUTSIDE_IN
5 permit tcp any host 217.40.xxx.xx established (3 matches)
30 permit ip host 194.72.0.114 any (189 matches)
40 permit ip host 62.6.40.162 any

Sorted

Just need to get my GUESTNAT sorted now, and I believe I have a safely configured setup

mikem2te · April 2010

gorebrush wrote: »

Ah-ha!

I've fixed it. ISA Server was telling me about DNS errors...

For some reason DNS requests were not getting through, so my OUTSIDE_IN rule now looks like this: -

ip access-list extended OUTSIDE_IN
permit ip any host 217.40.235.61
permit ip any host 192.168.1.101
permit ip host 194.72.0.114 any
permit ip host 62.6.40.162 any

And now it works...

Think I can ditch that 2nd line of the ACL though

Awesome.

There doesn't appear to be an 'ip inpsect' command for DNS in your config, wondering if that would help rather than creating an ACL entry for it??

gorebrush · April 2010

OK I've added ip inspect DNS in there (DOH, that was stupid)

And then dropped the two lines out of the ACL (Much neater solution)

But that doesn't seem to work...

mikem2te · April 2010

gorebrush wrote: »

OK I've added ip inspect DNS in there (DOH, that was stupid)

And then dropped the two lines out of the ACL (Much neater solution)

But that doesn't seem to work...

Does 'show ip inspect sessions' show any port 53 / DNS entries?

 Session 67B7BB28 (10.20.0.220:51051)=>(212.23.6.100:53) dns SIS_OPEN
Session 67B80BD0 (10.20.0.220:51115)=>(212.23.6.100:53) dns SIS_OPEN
Session 67B7DC88 (10.20.0.220:53302)=>(212.23.6.100:53) dns SIS_OPEN

I have the above after my client performs a DNS lookup

mikem2te · April 2010

I also have some nat translations using the 'show ip nat translations' command.

udp x..x.x.x:51069  10.20.0.220:51069  212.23.6.100:53    212.23.6.100:53
udp x.x.x.x:52013  10.20.0.220:52013  212.23.6.100:53    212.23.6.100:53
udp x.x.x.x:52254  10.20.0.220:52254  212.23.6.100:53    212.23.6.100:53
udp x.x.x.x:52581  10.20.0.220:52581  212.23.6.100:53    212.23.6.100:53
udp x.x.x.x:52754  10.20.0.220:52754  212.23.6.100:53    212.23.6.100:53

gorebrush · April 2010

mikem2te wrote: »
Does 'show ip inspect sessions' show any port 53 / DNS entries?
 Session 67B7BB28 (10.20.0.220:51051)=>(212.23.6.100:53) dns SIS_OPEN
Session 67B80BD0 (10.20.0.220:51115)=>(212.23.6.100:53) dns SIS_OPEN
Session 67B7DC88 (10.20.0.220:53302)=>(212.23.6.100:53) dns SIS_OPEN
I have the above after my client performs a DNS lookup

Don't get anything like that, just no DNS resolution...

rwwest7 · April 2010

Wouldn't plugging a standard PC into the port your trying to get your ISA box running through help? Once you have a regular PC working then the ISA server she work as well, I know ISA server is a beast unto it's own. But all it needs is an internet connection just like any other PC and removing it from the picture may ease the t/s'ing a bit. ( I may be totally wrong as I've never set up like you're trying, just suggesting)

gorebrush · April 2010

It is a good suggestion, unfortunately this is in a production environment :-/

However, on the upside, I've got it working nicely as it is. As long as the lovely people running those two DNS servers don't decide to hack our router then I should be ok lol.

It isn't perfect though, and I would like to get rid of those two lines in that ACL.

mikem2te · April 2010

gorebrush wrote: »

Don't get anything like that, just no DNS resolution...

Just a thought, what DNS server is your ISA configured to use? Is it set to use the routers ip address or is it pointing to a DNS server on the internet?

Reason I ask is if ISA asks the Router which then in turn asks a DNS server on the internet, I don't think the CBAC rules will apply to the traffic generated in the router so it will not open up in inbound hole in the firewall for the response.

If ISA directly goes to a DNS server on the internet the DNS requests pass THROUGH the router so CBAC will do it's stuff.

Hopefully that rambling makes sense.

mikem2te · April 2010

Further to my above post, you have

"ip inspect FW in" on your VLAN, it might be worth changing that to-

"ip inspect FW out" on your dialer

gorebrush · April 2010

The ISA box is looking at 192.168.1.254 for DNS - so your spot on, CBAC would be no good for that

Perhaps this is where I am getting stuck!

And for the other rule - yes I'll change that - but why is it best to have it out the Dialer and not in the VLAN?

mikem2te · April 2010

gorebrush wrote: »

The ISA box is looking at 192.168.1.254 for DNS - so your spot on, CBAC would be no good for that

Perhaps this is where I am getting stuck!

Cool. maybe some progress. Personally I have always used the ISPs DNS servers on the ISA servers so I've never had this problem.

gorebrush wrote: »

And for the other rule - yes I'll change that - but why is it best to have it out the Dialer and not in the VLAN?

I don't think it matters, I was just thinking out loud!!

gorebrush · April 2010

Ah ok - I wasn't questioning you, just wondering really!

Many thanks for all your help

Cisco IOS Firewall + ISA 2006 = Headache

Comments