Lets say we got a router which is connecting to an insecure (Internet 😉 ) network and we’d like to be able to do ICMP and Traceroute for troubleshooting but we dont want to create static ACLs. I for myself think it somehow feels a bit unsafe to allow everything the router needs for Ping and Traceroute and have it open all the time. Another option is to manually create the holes every time we need it or even remove the ACLs from the interface during that time but I dont really like one of those options. Additionally we dont want to allow the devices behind that router to be able to use Ping and Traceroute towards the Internet.
Based on those points CBAC could be a viable solution to have the router dynamically open the ports only when its needed and close them afterwards.
The sample network is simple:
R1 acts as a client in our internal network and R2 is the perimeter Router which is going to filter every traffic towards the internet, except locally generated ICMP and Traceroute packets. Just to keep it simple R2 will not permit anything else than Traceroute and ICMP but it shouldnt be a problem to change the configuration to allow other applications (HTTP or other stuff). Just keep in mind that for every session the router has to allocate 600 bytes and the more ACL entries the router has to work though the more CPU is needed so keep it as simple as possible 🙂
R1, R3 and R4 have a basic configuration to assure end-to-end connectivity:
R1 interface FastEthernet0/0 ip address 18.104.22.168 255.255.255.0 duplex auto speed auto ! ip route 0.0.0.0 0.0.0.0 22.214.171.124 R3 interface FastEthernet0/0 ip address 126.96.36.199 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 ip address 188.8.131.52 255.255.255.0 duplex auto speed auto ! ip route 0.0.0.0 0.0.0.0 184.108.40.206 R4 interface FastEthernet0/0 ip address 220.127.116.11 255.255.255.0 duplex auto speed auto ! ip route 0.0.0.0 0.0.0.0 18.104.22.168
CBAC is as already mentioned configured on R2:
ip inspect name INSPECT icmp router-traffic ! interface FastEthernet0/0 ip address 22.214.171.124 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 ip address 126.96.36.199 255.255.255.0 ip access-group INBOUND in ip access-group OUTBOUND out ip inspect INSPECT out duplex auto speed auto ! ip route 0.0.0.0 0.0.0.0 188.8.131.52 ! ip access-list extended INBOUND permit icmp any host 184.108.40.206 port-unreachable permit icmp any host 220.127.116.11 time-exceeded deny ip any any log ip access-list extended OUTBOUND deny ip any any log
This configuration will allow R2 to use Traceroute and Ping towards R3 and R4 but the Access-Lists will prevent every other routers ICMP or Traceroute through R2. The nice part on that one is, even though Traceroute uses a mix of UDP and ICMP packets, we do not have to do anything with the UDP packets. Simply cause the router locally generates the UDP packets, they never touch the outgoing ACL and since the routers on the path to the destination (and the destination itself) only respond with ICMP messages we do not have to open (with CBAC) any UDP session backwards into R2. If we do configure CBAC for UDP we would only see some half open sessions (no two way communication, R2 only sends the packets but never receives an answer). So in short, Traceroute only needs the ICMP messages port-unreachable and time-exceeded to be allowed within the incoming ACL.
Just to show that it works:
R2#ping 18.104.22.168 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 22.214.171.124, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 32/35/40 ms R2#sh ip inspect sessions Established Sessions Session 6557315C (126.96.36.199:8)=>(188.8.131.52:0) icmp SIS_OPEN R2#traceroute 184.108.40.206 Type escape sequence to abort. Tracing the route to 220.127.116.11 1 18.104.22.168 16 msec 16 msec 12 msec 2 22.214.171.124 28 msec * 44 msec R2#sh ip inspect sessions R4#ping 126.96.36.199 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 188.8.131.52, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) *Mar 1 00:15:18.835: %SEC-6-IPACCESSLOGDP: list INBOUND denied icmp 184.108.40.206 -> 220.127.116.11 (ping 18.104.22.168 R1#ping 22.214.171.124 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 126.96.36.199, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) *Mar 1 00:15:59.259: %SEC-6-IPACCESSLOGDP: list OUTBOUND denied icmp 188.8.131.52 -> 184.108.40.206 (0/0), 1 packet
Only thing worth to mention is that the show ip inspect session command does not show any open sessions after a successfull Traceroute.