Debugging Cisco Access Lists
I want to share something specific I learned outside the official Cisco curriculum.
Despite the fact that I've done some traffic seperation for untrusted devices, there's still, unfortunately some that need to be on my internal network for now (Google-based devices like a Google TV-based TV and an old Google Home - Nest products don't interest me) so I decided to do something about this to restrict vertical traffic and potential attacks from old, unsupported or not-so-trusted hosts.
While I can send all the L2 traffic to a virtual firewall or my internet firewall appliance, that in my opinion, is a sub-optimal solution.
All I have to work with is an old unsupported Cisco IOS v15 (Classic) Multilayer switch.
I thought, this will be pretty easy. Just allow host services like DHCP/netboot, intra-VLAN traffic etc., block RFC1918 and allow everything else. Ez Pz. Except netboot to my netboot.xyz server didn't work and I couldn't work out why.
remark NETWORK_SERVICES
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
remark ALLOW_PING
permit icmp any any echo
permit icmp any any echo-reply
remark ALLOW_PXE_SERVER
permit udp any host 192.168.56.3 eq tftp
permit tcp any host 192.168.56.3 eq www
permit ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255 log
remark DENY_RFC1918
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip any any log
I needed some visibility on the ports and protocols like a firewall log... Cisco conditional debugging to the rescue!
The specific Cisco debug I used was `debug ip packet detail`
Unfortunately, the detail was overwhelming and showed far too much information for any human to interpret and nearly brought down the switch, so I had to contrain or filter the output with a debug condition. which is as follows:
`debug condition ip 192.168.0.4`
This produced the information I required and allowed me to pinpoint the missing port and protocol required!
21w3d: IP: s=192.168.0.1 (local), d=192.168.0.4 (Vlan666), len 56, sending
21w3d: IP: s=192.168.0.1 (local), d=192.168.0.4 (Vlan666), len 56, output feature
21w3d: ICMP type=3, code=13, Check hwidb(88), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
21w3d: IP: s=192.168.0.1 (local), d=192.168.0.4 (Vlan666), len 56, sending full packet
21w3d: ICMP type=3, code=13pak 599DB6C consumed in input feature , packet consumed, Access List(31), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
21w3d: IP: s=192.168.0.4 (Vlan666), d=192.168.56.3, len 32, access denied
21w3d: UDP src=62557, dst=30002
21w3d: FIBipv4-packet-proc: route packet from Vlan666 src 192.168.0.4 dst 192.168.56.3
21w3d: FIBfwd-proc: packet routed by adj to Vlan56 192.168.56.3
21w3d: FIBipv4-packet-proc: packet routing succeeded
21w3d: IP: s=192.168.0.1 (local), d=192.168.0.4, len 56, local feature
21w3d: ICMP type=3, code=13, CASA(4), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
21w3d: IP: s=192.168.0.1 (local), d=192.168.0.4, len 56, local feature
As you can see in the above output, UDP port 3002 was blocked (due to the implicit deny any rule), so adding that in before the deny RFC1918 entry resolved this for me. Happy days.
So here's the final ACL that worked a treat.
remark NETWORK_SERVICES
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
remark ALLOW_PING
permit icmp any any echo
permit icmp any any echo-reply
remark ALLOW_PXE_SERVER
permit udp any host 192.168.56.3 eq tftp
permit udp any host 192.168.56.3 eq 30002
permit tcp any host 192.168.56.3 eq www
remark PERMIT_INTRA-VLAN
permit ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255 log
remark DENY_RFC1918
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
remark ALLOW_EVERYTHING_ELSE
No comments:
Post a Comment