Firewall Packet Filtering Configuration Does Not Take Effect Due to Incorrect ACL Configuration on the AR

Publication Date:  2015-10-14 Views:  689 Downloads:  0
Issue Description
As shown in Figure 1-1, the router functions as the enterprise egress. The firewall function is configured on the router to control host access from the Internet to the internal server of the enterprise. The NAT function is configured on the router to translate the IP address of the internal server to the public address 1.1.2.2.

Figure 1-1 ACL-based access control



The related configuration file is as follows:

#
nat static protocol tcp global ip 1.1.2.2 inside ip 10.26.103.70   //Configure the one-to-one mapping from the private address 10.26.103.70 to public address 1.1.2.2
#
acl number 3000   //Configure a rule to forbid the PC using the address 1.1.1.1 to send IP packets to 1.1.2.2.
#
interface Ethernet0/0/1
ip address 1.1.2.1 255.255.255.224
#
firewall enable
packet-filter 3000 inbound    //Perform packet filtering in the inbound direction.

However, the ACL rule does not take effect, and the PC can still access the internal server.
Handling Process
The invalid ACL policy is caused by improper firewall configuration or ACL configuration.

1. Check whether the firewall function is enabled.

The firewall enable command exists in the configuration file. Run the display firewall zone command to view the configuration of the specified security zone. The command output shows that the firewall function is enabled; therefore, invalid ACL rule is not caused by the firewall configuration.

2. Check whether the ACL rule is correct.

Check the ACL rule. The configuration file of the router shows that the ACL rule forbids the PC to send IP packets to the public IP address 1.1.2.2. However, the NAT function configured on the router to translate the public address to the internal address 10.26.103.70. Therefore, the rule must be configured to forbid the PC to send IP packets to the IP address 10.26.103.70. Modify the ACL rule as follows:

#
acl number 3000
rule 1 deny ip source 1.1.1.1 0 destination 10.26.103.70 0
rule 2 permit ip
#

After the modification, the PC cannot access the internal server.

Therefore, the firewall packet filtering function does not take effect because the ACL rule is incorrectly configured.
Root Cause
After NAT and the firewall are configured on the AR, the NAT function for incoming packets takes effect before the firewall function. The private address of the internal server that is translated by NAT must be specified as the destination address in the ACL rule. If the public address before the NAT (1.1.2.2) is used as the destination address, the ACL rule is invalid.
Suggestions
When the firewall and NAT functions are configured on the AR simultaneously, pay attention to the sequence in which the functions take effect:
  • In the inbound direction: The NAT function takes effect first.
  • In the outbound direction: The firewall function takes effect first.

END