Troubleshooting Transport Layer Issues on the Router
Common issues with extended ACLs

Network problems can arise from transport layer problems on the router, particularly at the edge of the network where security technologies are examining and modifying the traffic. This section will discuss two of the most commonly implemented transport layer security technologies. They are access control lists and Network Address Translation.

The most common issues with extended access lists will be the result of misconfiguration. There are eight areas where misconfigurations commonly occur:

  • Selection of traffic flow
  • Order of access control elements
  • Implicit "deny any any"
  • Addresses and wildcard masks
  • Selection of transport layer protocol
  • Source and destination port(s)
  • Use of the ‘established’ keyword
  • Uncommon protocols

Selection of Traffic Flow
Although these points are not listed in any particular order, the most common router misconfiguration of extended access lists is applying the access list to incorrect traffic. Traffic is defined by both the router interface through which the traffic is traveling and the direction in which this traffic is traveling. Once defined, an access list must be applied to the correct interface and the correct traffic direction must be selected to function properly.

Order of Access Control Elements
Another common mistake made when configuring ACLs is the order in which access control elements (ACEs) are configured. Although an access list may have an element to specifically permit a particular traffic flow, packets will never match that element if they are being denied by another element earlier in the list.

Recall that the guideline for configuring an access control list is specific to general. This means that the most specific elements are configured at the top of the list and the less specific elements are configured at the end. The more information defined in an element, the more specific that element is. For example, the element permit tcp 10.0.0.0 0.255.255.255 any eq 110 established is more specific than the element permit tcp 10.0.0.0 0.255.255.255 any eq 110 because the first element used the additional keyword established. The element permit udp host 10.32.96.7 eq 53 any is more specific than both of these because it matches a more specific (smaller) range of source addresses.

Implicit "deny any any"
Every extended access list has a deny any any element implied as the final entry in the list. This does not normally pose an issue when configuring firewall routers, as the guideline for configuring highly secure access lists is to deny everything and specifically permit particular traffic flows. In a situation where high security is not required on the access list, forgetting about this implicit access control element may be the cause of an access list misconfiguration.

Addresses and Wildcard Masks
There are a number of things that make correctly selecting source and destination addresses more complex:

  • Running NAT on the router
  • Using complex wildcard masks to select patterns of addresses

If the router is running both access lists and NAT, the order in which each of these technologies is applied to a traffic flow is important. The order of operations in the switching path is complex, as shown in Figure . The important points to remember are:

  • Inbound traffic is processed by the inbound access list before being processed by outside-to-inside NAT.
  • Outbound traffic is processed by the outbound access list after being processed by inside-to-outside NAT.

Wildcard masks are typically used to select ranges of addresses. For example, the address 198.162.10.0 and wildcard mask 0.0.0.255 could be used to select all hosts in the Class C network address-space 198.162.10.0. Generally, these sorts of address and wildcard mask combinations are difficult to get wrong.

More complex wildcard masks can also be used to select patterns of addresses. For example, the address 10.0.32.0 and wildcard mask 0.0.32.15 would select the first 15 host addresses in either the 10.0.0.0 network or the 10.0.32.0 network. Complex wildcard masks like this provide significant improvements in efficiency, especially in large networks with structured and controlled IP addressing schemes.

Selection of Transport Layer Protocol
When configuring ACLs, it is important that only the correct transport layer protocols be specified in the element. Many network engineers, when unsure if a particular traffic flow uses a TCP port or a UDP port, will configure both. The first problem with doing this is that it opens a hole through the firewall, possibly giving intruders an avenue into the network. The other problem is that it introduces an extra element into the ACL. This means the ACL takes longer to process, introducing more latency into network communications.

Source and Destination Port(s)
Correctly specifying source and destination ports is usually simple, but can be complex. In one example of a simple traffic flow, the client end of the connection uses a random high-numbered port to initiate a connection to a specific port at the server-end. Defining the correct source and destination ports is not complex in this situation.

A more difficult concept is understanding the flow of traffic between two hosts and building the ACLs to properly control the traffic. Simple traffic flows require symmetric access control elements for inbound and outbound access lists. In other words, address and port information for traffic generated by a replying host is the mirror image of address and port information for traffic generated by the initiating host.

Example
Examine these descriptions of a simple e-mail traffic flow traversing a firewall router to understand the relationship for addresses and ports between initiating and responding traffic:

  1. A user wants to check e-mail on a remote ISP mail server.
  2. The client PC opens the mail client and initiates a connection to a POP3 mail server.
  3. The request for new mail is generated and sent by the client PC.
    • The source address of the request packets is the IP address of the client PC.
    • The source port of the request packets will be randomly chosen from above 1024 (for example, TCP port 2113).
    • The destination address of the request packets is the IP address of the mail server.
    • The destination port of the request packets is TCP port 110 (the POP3 mail server).
  4. The packets traverse the LAN, get to the firewall router, and are processed by the access list controlling outbound traffic on the external router port.
    • A control element permitting traffic from any port with an internal address to TCP port 110 on the ISP mail server address is configured near to the top of the access list.
    • The ‘request for mail’ traffic matches this element and is allowed through the firewall router.
  5. Having satisfied an element of the outbound access list, the router forwards the traffic to the next hop on the way to the ISP mail server.
  6. The ISP mail server has mail waiting for the user. When the ISP mail server receives the request, the mail server responds with the mail items it has for the user. Because the traffic is now returning to the client PC, the address and port information from the request packets have the source details swapped with the destination details.
    • The source address of the reply packets is the IP address of the ISP mail server.
    • Because the reply is coming from the POP3 mail server, the source port of the reply packets is TCP port 110.
    • The destination address of the reply packets is the IP address of the client PC.
    • The client PC needs to know which process to pass the reply packets to when it receives them. This means the destination port of the reply packets is set as TCP port 2113.
  7. The mail server sends the reply packets onto the Internet and they eventually get back to the firewall router. The traffic must satisfy an element of the access list controlling inbound traffic on the external router port before being forwarded to the LAN.
    • A control element permitting traffic from TCP port 110 from the IP address of the ISP mail server to any port on any internal IP address is configured near to the top of the access list.
    • The ‘reply with mail’ traffic matches this element and is allowed through the firewall router.
  8. The ‘reply’ traffic reaches the client, where the mail items are displayed by the e-mail client software.

Use of the Established Keyword
Using the established keyword means a packet must match the specified source and destination IP addresses and ports and must also have the ACK bit set before a complete match is possible.

For example, an access list watching inbound traffic may have an element to permit traffic from a remote Telnet server. By adding the ‘established’ keyword to this element, the access list can be configured to permit traffic from a remote Telnet server, but only if the Telnet connection was initiated from inside the firewall router.

The established keyword can be used to increase the security provided by an access list. If this established keyword is applied to an outbound access list, unexpected results may occur.

Uncommon Protocols
Extended access lists can be used to control traffic for IP-encapsulated protocols other than TCP and UDP. Misconfigured access lists often cause problems for less common protocols. A group of uncommon protocols that is gaining popularity are VPN and encryption protocols, including Layer 2 Tunneling Protocol (L2TP), Generic Routing Encapsulation (GRE), Internet Key Exchange (IKE), Internet Security Association and Key Management Protocol (ISAKMP), and Encapsulating Security Payload (ESP).