Solved: Access Lists - lock down ftp ports

ohareka70 · ‎01-27-2010

Hello,

I have got a cisco router which is port forwarding to an IIS server over the internet. I want to create an access-list to lock the cisco router down further. I want to create the following:

1 - users on the wireless lan can access any website going to the outside world but only to ports 80 and 443. So really i dont want anyone in the office to be able to go to file sharing websites over ftp etc.

2 - At present users from outside world can hit the following website address www.captrax2.niwater.com and they are forwarded to the webserver address 192.168.2.100 I want the access list to make sure thats all they can hit and no other devices on my wireless lan.

i have attached the config of the cisco router as it is today. I am hitting the web page ok so port forwarding is working.

I did try this access list but all it did was stop me hitting the webpage so i had to delete it again.

ip access-list extended OUTSIDE-IN

evaluate TO_REFLECT

permit ip any 192.168.2.100 0.0.0.255 reflect TO_REFLECT

ip access-list extended OUTSIDE-OUT

permit tcp host x.x.x.x any eq www reflect TO_REFLECT timeout 180

permit tcp host x.x.x.x any eq 443 reflect TO_REFLECT timeout 180

permit tcp host x.x.x.x any eq domain reflect TO_REFLECT timeout 180

permit udp host x.x.x.x any eq domain reflect TO_REFLECT timeout 180

permit icmp host x.x.x.x any reflect TO_REFLECT

!

any adivce welcome

Kevin

sachinraja · ‎01-27-2010

Hi Kevin

you can configure ACL's as given below

ip access-list extended to_internet

permit tcp 192.168.2.0 0.0.0.255 any eq 80

permit tcp 192.168.2.0 0.0.0.255 any eq https

permit udp 192.168.2.0 0.0.0.255 any eq 53

deny ip any any (implicit)

Apply this on vlan 1 on "inbound" direction..

Try this first, and ill draft the inbound acl (from internet) in a few min.

Raj

View solution in original post

sachinraja · ‎01-27-2010

Hi Kevin

you can configure ACL's as given below

ip access-list extended to_internet

permit tcp 192.168.2.0 0.0.0.255 any eq 80

permit tcp 192.168.2.0 0.0.0.255 any eq https

permit udp 192.168.2.0 0.0.0.255 any eq 53

deny ip any any (implicit)

Apply this on vlan 1 on "inbound" direction..

Try this first, and ill draft the inbound acl (from internet) in a few min.

Raj

sachinraja · ‎01-27-2010

On the outside interface, you can configure the following

ip access-list from_internet

permit tcp any host x.x.x.x eq http

permit tcp any host x.x.x.x eq https

where x.x.x.x is the NATTED IP address representing the inside IP 192.168.2.100

apply this on outside interface (dialer 0)...

test this and let us know..

Raj

ohareka70 · ‎01-28-2010

Raj

I applied the first ACL and i am still able to go out to the internet and also hit the internal webpage 192.168.2.100 from outside.

ip access-list extended to_internet

permit tcp 192.168.2.0 0.0.0.255 any eq 80 log

permit tcp 192.168.2.0 0.0.0.255 any eq https log

permit udp 192.168.2.0 0.0.0.255 any eq 53 log

deny ip any any

i put in log to see whats going on as well. But when i applied the Dialer0 ACL below i can no longer go out to the internet while i have another laptop on the same wireless router and i also cant hit the webpage from the outside.

ip access-list from_internet

permit tcp any host x.x.x.x eq http

permit tcp any host x.x.x.x eq https

I was talking to someone in work and he said to try an ACL with evaluate to reflect or dynamic. Not too sure what he means? have you any other ideas for the acl on Dialer 0 please

thanks for the help so far. Much appreciated.

Kevin

sachinraja · ‎01-28-2010

Hi Kevin

"

I applied the first ACL and i am still able to go out to the internet and also hit the internal webpage 192.168.2.100 from outside." - does this mean it should work the way , it should? You should be able to get out to the internet on port 80/https etc after applying the inbound ACL in VLAN 1 right ? Were you able too do FTP after putting the Inbound ACL ? what is the default gateway for your wireless users ?

With regards to Dialer 0 ACL, it would just allow access to the external NAT IPs on port 80 and 443.. you were previoulsy talking about port forwarding etc. where is that done ? It could just be due to the fact that your return traffic might get dropped when it comes back from the server.. just tto test, try removing inbound ACL and just have the from_internet ACL to test if it works good..

With regards to refleective ACL, the fact is it creates dynamic access-list entries when you have traffic originated from outside. you can probably refer the following URL to know more:

http://www.cisco.com/en/US/docs/ios/12_0/security/configuration/guide/sclock.html

Raj

ohareka70 · ‎02-03-2010

Raj,

I have been working on this with a colleague in work and we think we have finally got it correct with an acl using the evaluate command:

evaluate WWWOUT
evaluate HTTPSOUT
evaluate DNSUDP
evaluate DNSTCP

interface Dialer0
description $FW_OUTSIDE$
ip address xx.xx.xx.xx
ip access-group d0_in in
ip access-group d0_out out

I have attached the latest config and also a sh ip nat tranlations just in case you have any comments or advice.

Kind regards for your help,

Kevin

PS if its working ok i think i'll quit when im ahead.