Cisco IOS BVI ACL: Only allow established UDP

cisco access-control-list ios bridge-router
5,064

Solution 1

UDP packets don't establish a connection, they're literally fire and forget! A simple permit udp host XX.xx.xx.xx host xx.xx.xx.xx eq xx should be all that's required.

Solution 2

Accidentally stumbled upon this page while searching for something else, and thought to add a couple of cents...

Short of doing stateful firewall on IOS, you can use a long existing feature called "reflexive ACL" - where a packet in one direction pokes a hole in the ACL, and this permits the packets in the the other direction.

Configuration guide describes the feature in full detail, but in a nutshell, it is as follows:

  • you can have an entry within an access list that, besides permitting the packets, also can reflect this traffic in a reflexive ACL (which is a fully dynamic entity)
  • in another ACL you can evaluate this reflexive ACL as part of the ACL matching process alongside the usual permit and deny.

here's a simple example of a config:

interface Dialer1
  ip address negotiated
  ip access-group V4-GATE in
  ip access-group V4-REF out
!
ip access-list extended V4-GATE
  permit icmp any any echo-reply
  permit icmp any any unreachable
  permit icmp any any ttl-exceeded
  permit icmp any any packet-too-big
  evaluate V4-REFLECTOR
  deny   ip any any log
!
ip access-list extended V4-REF
  permit udp any any eq domain reflect V4-REFLECTOR timeout 10
  permit ip any any reflect V4-REFLECTOR
!

This will give you pretty much exactly the same amount of statefulness as the NAT overload.

HTH.

(EDIT: seeing you mention BVI - maybe the applicability of this will depend on your configuration. What I illustrated above is where the Dialer1 is the egress interface connecting to the internet. If you do router-on-a-stick, you might need to adapt this - though I think it is still applicable. This is unusable if the interfaces connecting the two pairs of the connection are members of the same bridge group)

Share:
5,064

Related videos on Youtube

700 Software
Author by

700 Software

Updated on September 18, 2022

Comments

  • 700 Software
    700 Software over 1 year

    Related: Cisco IOS ACL: Don't permit incoming connections just because they are from port 80

    I know we can use the established keyword for TCP.. but what can we do for UDP (short of replacing a Bridge or BVI with a NAT)?

    Answer

    I found out what "UDP has no connection" means.

    DNS uses UDP for example..

    1. named (DNS server) is lisenting on port 53
    2. nslookup (DNS client) starts listening on some random port and sends a packet to port 53 of the server and notes the source port in that packet.
    3. nslookup will retry 3 times if necessary. Also the packets are so small that it does not have to worry about them coming in the wrong order.
    4. If nslookup receives a response on that port that comes from the servers IP and port then it stops listening. If the server tried to send two responses (for example a response and a response to the retry) then the server would not care if either of them made it because the client has the job to retry. In fact.. unless ICMP 3/3 packet gets through the server would not know about a failure. This is different from TCP where you get connection closed or timed out errors.

    DNS allows for an easy retry from the client as well as small packets.. so UDP is an excellent choice because it is more efficient. In UDP you would see

    1. nslookup sends request
    2. named sends answer

    In TCP you would see

    1. nslookup's machine sends SYN
    2. named's machine sends SYN-ACK
    3. nslookup's machine sends ACK and the request
    4. named's machine sends the response

    That is much more than is necessary for a tiny DNS packet

  • 700 Software
    700 Software over 13 years
    On the FastEthernet 4 (Fa4) out I can do this to permit pc1 to connect to DNS-server permit udp host pc1 gt 1023 host dns-server eq 53; then on Fa4 in I can allow the response permit udp host dns-server eq 53 host pc1 gt 1023. But that also means that the DNS server could set it's source port to port 53 and connect back to pc1 on any UDP port greater than 1023. Is this the best I can do?
  • Ludovic Kuty
    Ludovic Kuty about 5 years
    In the ACL that feeds the reflexive ACL, it would have been interesting to be able to filter the permit udp any any to specific hosts on the LAN. But since the ACL is applied after NAT, I guess it is not possible.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How does Cisco IOS ACL established flag work
How to whitelist external access to an internal webserver via Cisco ACLs?
ssh into Cisco router not working
Cisco IOS: access-list logging rate-limited or missed packets
Cisco 881w AP factory reset
Port Forwarding on Cisco Router
Cisco switchport is solid amber
Cisco AnyConnect on IOS 12.4(20)T
How to delete multiple files from a Cisco router flash memory
IP SLA on Cisco 1921 IOS 15.2T