Solved: Cisco 857 Port Block

roxysbrian · ‎08-30-2010

I am trying to figure out how to block external inbound DNS queries on our 857 router. After doing a security scan for PCI compliance we keep getting a notice that UDP and TCP ports 53 are open from an external port scan. I have not found anything in my config that shows port 53 being open. I only need it to be blocked from the external interface but still need DNS to work properly from my inside network. Below is my current config:

Current configuration : 9907 bytes
!
! Last configuration change at 16:05:39 Chicago Fri Aug 27 2010
! NVRAM config last updated at 16:06:04 Chicago Fri Aug 27 2010
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 52000
enable secret 5 xxxxxxxxx
enable password 7 xxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
aaa session-id common
clock timezone Chicago -6
clock summer-time Chicago date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-xxxxxxxxx
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-xxxxxxxxxxx
revocation-check none
rsakeypair TP-self-signed-xxxxxxxxxxx
!
!
crypto pki certificate chain TP-self-signed-xxxxxxxxxxxx
certificate self-signed 02
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        quit
dot11 syslog
!
dot11 ssid xxxxxxxxxxx
   authentication open
!
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.100.1 192.168.100.49
!
ip dhcp pool XXX
   network 192.168.100.0 255.255.255.0
   default-router 192.168.100.1
   dns-server 192.168.100.1
!
!
ip cef
no ip bootp server
no ip domain lookup
ip name-server 208.67.222.222
ip name-server 208.67.220.220
!
parameter-map type regex sdm-regex-nonascii
pattern [^\x00-\x80]

password encryption aes
!
!
username xxxxxx view root secret 5 xxxxxxxxxxxxxxxxxxxxxxxx
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxxxxxxx address 111.111.111.111 no-xauth
!
!
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-sha-hmac
!
crypto ipsec profile XYZ
set transform-set SDM_TRANSFORMSET_1
!
!
crypto map ABCD 1 ipsec-isakmp
set peer 111.111.111.111
set security-association lifetime seconds 28800
set transform-set SDM_TRANSFORMSET_1
match address 101
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
!
bridge irb
!
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
!
encryption key 1 size 128bit 7 xxxxxxxxxxxxxxxxxxxxxxxxxx transmit-key
encryption mode xxxxxx xxxxxxxxxx
ssid xxxxxxxxxxxxxx
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
no ip address
bridge-group 1
!
interface Dialer0
description $FW_OUTSIDE$
ip address 222.222.222.222 255.255.255.0
ip access-group DNS in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxxxxxxx@bellsouth.net
ppp chap password 7 091847311F513D1C3D
ppp pap sent-username xxxxxxxx@bellsouth.net password 7 xxxxxxxxxxxxx
crypto map ABCD
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 192.168.100.1 255.255.255.0
ip access-group 103 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1412
!
router rip
version 2
network 192.168.100.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
ip http access-class 2
ip http secure-server
ip dns server
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
!
access-list 1 remark Auto generated by SDM Management Access feature
access-list 1 remark SDM_ACL Category=1
access-list 1 permit xxx.xxx.xxx.xxx 0.0.0.255
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 1 permit xxx.xxx.xxx.xxx 0.0.7.255
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark SDM_ACL Category=1
access-list 2 permit xxx.xxx.xxx.xxx 0.0.7.255
access-list 2 permit 192.168.100.0 0.0.0.255
access-list 2 permit xxx.xxx.xxx.xxx 0.0.0.255
access-list 100 remark SDM_ACL Category=2
access-list 100 deny   ip 192.168.100.0 0.0.0.255 xxx.xxx.xxx.xxx 0.255.255.255
access-list 100 permit ip 192.168.100.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.100.0 0.0.0.255 xxx.xxx.xxx.xxx 0.255.255.255
access-list 102 remark SDM_ACL Category=128
access-list 102 permit ip host 255.255.255.255 any
access-list 102 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip xxx.xxx.xxx.xxx 0.0.0.255 any
access-list 103 remark Auto generated by SDM Management Access feature
access-list 103 remark SDM_ACL Category=1
access-list 103 permit tcp xxx.xxx.xxx.xxx 0.0.7.255 host 192.168.100.1 eq 22
access-list 103 permit tcp 192.168.100.0 0.0.0.255 host 192.168.100.1 eq 22
access-list 103 permit tcp xxx.xxx.xxx.xxx 0.0.0.255 host 192.168.100.1 eq 22
access-list 103 permit tcp xxx.xxx.xxx.xxx 0.0.0.255 host 192.168.100.1 eq 443
access-list 103 permit tcp 192.168.100.0 0.0.0.255 host 192.168.100.1 eq 443
access-list 103 permit tcp xxx.xxx.xxx.xxx 0.0.7.255 host 192.168.100.1 eq 443
access-list 103 permit tcp xxx.xxx.xxx.xxx 0.0.7.255 host 192.168.100.1 eq cmd
access-list 103 permit tcp 192.168.100.0 0.0.0.255 host 192.168.100.1 eq cmd
access-list 103 permit tcp xxx.xxx.xxx.xxx 0.0.0.255 host 192.168.100.1 eq cmd
access-list 103 deny   tcp any host 192.168.100.1 eq telnet
access-list 103 deny   tcp any host 192.168.100.1 eq 22
access-list 103 deny   tcp any host 192.168.100.1 eq www
access-list 103 deny   tcp any host 192.168.100.1 eq 443
access-list 103 deny   tcp any host 192.168.100.1 eq cmd
access-list 103 deny   udp any host 192.168.100.1 eq snmp
access-list 103 permit ip any any
access-list 104 remark Auto generated by SDM Management Access feature
access-list 104 remark SDM_ACL Category=1
access-list 104 permit ip xxx.xxx.xxx.xxx 0.0.7.255 any
access-list 104 permit ip 192.168.100.0 0.0.0.255 any
access-list 104 permit ip xxx.xxx.xxx.xxx 0.0.0.255 any
access-list 105 remark SDM_ACL Category=128
access-list 105 permit ip host 255.255.255.255 any
access-list 105 permit ip 127.0.0.0 0.255.255.255 any
access-list 105 permit ip xxx.xxx.xxx.xxx 0.0.0.255 any
access-list 106 remark SDM_ACL Category=128
access-list 106 permit ip host xxx.xxx.xxx.xxx any
access-list 107 remark SDM_ACL Category=0
access-list 107 permit ip xxx.xxx.xxx.xxx 0.255.255.255 192.168.100.0 0.0.0.255
access-list 108 remark SDM_ACL Category=128
access-list 108 permit ip host 255.255.255.255 any
access-list 108 permit ip 127.0.0.0 0.255.255.255 any
access-list 108 permit ip xxx.xxx.xxx.xxx 0.0.0.255 any
access-list 109 remark SDM_ACL Category=128
access-list 109 permit ip host xxx.xxx.xxx.xxx any
access-list 110 remark SDM_ACL Category=0
access-list 110 permit ip xxx.xxx.xxx.xxx 0.255.255.255 192.168.100.0 0.0.0.255
access-list 111 remark SDM_ACL Category=128
access-list 111 permit ip host 255.255.255.255 any
access-list 111 permit ip 127.0.0.0 0.255.255.255 any
access-list 111 permit ip xxx.xxx.xxx.xxx 0.0.0.255 any
access-list 112 remark SDM_ACL Category=128
access-list 112 permit ip host xxx.xxx.xxx.xxx any
access-list 113 remark SDM_ACL Category=0
access-list 113 permit ip xxx.xxx.xxx.xxx 0.255.255.255 192.168.100.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 100
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CIf you have accessed this system unauthorized you MUST disconnect NOW.^C
!
line con 0
login authentication local_authen
no modem enable
line aux 0
login authentication local_authen
line vty 0 4
access-class 104 in
password 7 xxxxxxxxxxxx
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
sntp server 192.43.244.18
end

Thanks for any help!

Nagaraja Thanthry · ‎08-31-2010

Hello,

I am sorry, I did not notice the VPN part. If it is site-to-site VPN, you

can add another line in there:

ip access-list extended DNS

permit esp any any

permit udp any eq 500 any

permit udp any eq 4500 any

permit udp any eq 53 any

permit tcp any eq 53 any

permit tcp any any established

permit tcp any any ack

permit tcp any any psh

permit icmp any any echo-reply

deny ip any any

Hope this helps.

Regards,

NT

View solution in original post

Nagaraja Thanthry · ‎08-30-2010

Hello,

I see that you have configured an access-group on the dialer interface but I

did not see any specific access-list entries. Please try the following:

ip access-list extended DNS

permit udp any eq 53 any

permit tcp any eq 53 any

permit tcp any any established

permit tcp any any ack

permit tcp any any psh

permit icmp any any echo-reply

deny ip any any

The first two lines will allow DNS replies from external servers to your

network. The next 3 lines will allow return TCP traffic into your network.

The last one (before the explicit deny) will allow any icmp traffic (ping

replies) back to the network. If you want to add any other rules, you can

add it before the explicit deny.

Hope this helps.

Regards,

NT

roxysbrian · ‎08-31-2010

Thanks for the reply. After adding the commands you provided into the router it broke the connection across the VPN tunnel. Luckily this router is only about 2 miles from our office and I was able to drive over and remove the ACL to restore the connections across the VPN tunnel. Unfortunately I don't have a clue what I'm doing when it comes to ACL's.

Thanks for your help

Nagaraja Thanthry · ‎08-31-2010

Hello,

I am sorry, I did not notice the VPN part. If it is site-to-site VPN, you

can add another line in there:

ip access-list extended DNS

permit esp any any

permit udp any eq 500 any

permit udp any eq 4500 any

permit udp any eq 53 any

permit tcp any eq 53 any

permit tcp any any established

permit tcp any any ack

permit tcp any any psh

permit icmp any any echo-reply

deny ip any any

Hope this helps.

Regards,

NT

Jernej Vodopivec · ‎08-31-2010

I'm using ip inspect rules instead of these 4 rules in acl as suggested list at my home (851w model)

permit tcp any any established

permit tcp any any ack

permit tcp any any psh

permit icmp any any echo-reply

There shouldn't be much difference in overall functionality or is there?

Nagaraja Thanthry · ‎08-31-2010

Hello,

You can certainly use the inspects. Functionally they are better than the

access-lists.

Regards,

NT

roxysbrian · ‎08-31-2010

Thanks NT! Your additions to the ACL helped us pass our PCI security scan. Many thanks!!!