Proxy and CBAC.

Trying to understand what you're trying to do Alex. Are you unsure how to configure CBAC to allow only the web proxy?

BernieM

BernieM wrote:

HI,

My understanding is that you use an inbound access list on the inside interface to control what sites/protocols you want to go out.

interface e 0 desc inside access-group ACL.internet.outbound in

ip access-list

ip access-list extended ACL.internet.outbound ! allow the proxy to access any http sites permit ip host address-of-proxy any eq 80 ! https too permit ip host address-of-proxy any eq 443 ! you will need other things here such as management access ! ICMP ! you may want to block broadcasts

Your proposed scheme would be OK but I think that this will be more efficient. The benifit of puting it on the inside interface seems to me to be that the router discards the traffic at the earliest opportunity.

Here is an ACL that I used a while back that is pretty over the top but might give you some ideas. This one was also desiged to protect the router from unnecessary traffic e.g. Windows broadcasts, since it was not really up top the job it was being asked to do.

ip access-list extended E0-in remark ### NEW YORK NETWORKS #### permit ip 192.168.166.0 0.0.0.255 192.168.58.0 0.0.0.255 remark ### CISCO831 ACCESS #### permit tcp 192.168.166.0 0.0.0.255 host 192.168.166.253 eq telnet permit tcp 192.168.166.0 0.0.0.255 host 192.168.166.253 eq 22 permit tcp 192.168.166.0 0.0.0.255 host 192.168.166.253 eq www permit tcp 192.168.166.0 0.0.0.255 host 192.168.166.253 eq 443 permit tcp 192.168.166.0 0.0.0.255 host 192.168.166.253 eq cmd permit tcp 192.168.166.0 0.0.0.255 host 192.168.166.253 eq 161 permit icmp 192.168.166.0 0.0.0.255 any remark ### BLOCK RUBBISH #### deny ip any host 192.168.166.255 deny ip any host 255.255.255.255 remark ### remote management #### permit ip 192.168.166.0 0.0.0.255 host x.x.x.x remark ### ALLOW INTERNAL & POOLS & VPN #### permit ip any 192.168.166.0 0.0.0.255 permit ip any 10.1.166.0 0.0.0.255 permit ip 10.1.166.0 0.0.0.255 any permit udp any host y.y.y.y 500 permit esp any host y.y.y.y remark ### BLOCK RUBBISH #### deny ip any 10.0.0.0 0.255.255.255 log deny ip any 127.0.0.0 0.255.255.255 log deny ip any 172.16.0.0 0.15.255.255 log deny ip any 224.0.0.0 31.255.255.255 log deny ip any 192.168.0.0 0.0.255.255 log deny ip any 192.0.2.0 0.0.0.255 log deny ip any 169.254.0.0 0.0.255.255 log deny ip any host 192.168.166.253 log deny ip any host z.z.z.z log remark ### Internet #### permit udp 192.168.166.0 0.0.0.255 gt 1023 any eq domain permit tcp 192.168.166.0 0.0.0.255 gt 1023 any eq 123 permit udp 192.168.166.0 0.0.0.255 gt 1023 any eq ntp permit tcp 192.168.166.0 0.0.0.255 gt 1023 any eq 264 permit tcp 192.168.166.0 0.0.0.255 any eq 500 permit udp 192.168.166.0 0.0.0.255 gt 1023 any eq 554 permit tcp 192.168.166.0 0.0.0.255 gt 1023 any eq 5800 permit tcp 192.168.166.0 0.0.0.255 gt 1023 any eq 5900 permit udp 192.168.166.0 0.0.0.255 gt 1023 any eq 7070 permit tcp 192.168.166.0 0.0.0.255 gt 1023 any eq smtp permit tcp 192.168.166.0 0.0.0.255 gt 1023 any eq pop3 permit tcp 192.168.166.0 0.0.0.255 gt 1023 any eq ftp remark ### Bloomberg #### permit tcp 192.168.166.0 0.0.0.255 160.43.250.0 0.0.0.255 range 8194

8294 permit tcp 192.168.166.0 0.0.0.255 206.156.53.0 0.0.0.255 range 8194 8294 permit tcp 192.168.166.0 0.0.0.255 208.22.57.0 0.0.0.255 range 8194 8294 permit udp 192.168.166.0 0.0.0.255 160.43.250.0 0.0.0.255 range 48129 48192 permit udp 192.168.166.0 0.0.0.255 206.156.53.0 0.0.0.255 range 48129 48192 permit udp 192.168.166.0 0.0.0.255 205.216.112.0 0.0.0.255 range 48129 48192 permit udp 192.168.166.0 0.0.0.255 208.22.56.0 0.0.0.255 range 48129 48192 permit udp 192.168.166.0 0.0.0.255 208.22.57.0 0.0.0.255 range 48129 48192 deny tcp any any range 0 65535 log deny udp any any range 0 65535 log deny ip any any log

As far as I have understood CBAC mechanism you need to block everything you want for CBAC to process it. In some way I want to put the proxy traffic under the CBAC control. Your ACL excludes the HTTP,HTTPS proxy traffic from being analyzed and ironically allows all other machines on the LAN to pass through the interface because the way CBAC works is to make holes in the wall when needed. So, for the CBAC to work you need to deny what it will process. Blocking traffic coming from all the LAN but the proxy is not a solution. Unless you apply the CBAC on the WAN interface in the outgoing direction. So the ethernet ACL filters who can pass through it and the CBAC analyzes just that traffic. But my tears are to apply a too much restrictive ACL on WAN interface because I'm afraid to cut my management connections off. For that reason I wish to solve the problem on the inside interface.

Thanks, Alex.

You don't block what you want CBAC to process. It needs to pass through the incoming ACL for CBAC to see it..

Allow proxy traffic in at the inside interface and CBAC will 'inspect' it and see which interface it's going out and if you have an ACL there CBAC will dynamically create 'permit' entries for return traffic.

Same applies for incoming traffic being initiated from the Internet ie. public hosts accessing your web site. Allow that in at the WAN's external ACL and CBAC will dynamically create ACL entries on the inside interface for return traffic.

eg.

inside interface ip access-group inside-filter in ip inspect in

wan interface ip access-group outside-filter in ip inspect in

ip access-list extended inside-filter permit proxy traffic eq http and https allow your management traffic eq telnet or ssh and whatever else you use (snmp etc.) deny all

ip access-group outside-filter permit public hosts to your web site eq http and https deny all and log

BernieM