12-13-2011 07:44 PM - edited 03-11-2019 03:01 PM
I want to lock down my router that connects to the cable modem. Now, I thought it would be simple to just block everything incoming via an ACL, but as soon as I applied the below ACL, even the clients that are being NAT'd couldn't get to the internet. This router is performing NAT for the internal network, as well as terminating client/network IPSEC tunnels. Any ideas on how to approach this?
access-list 150 remark OUTSIDE_TO_INSIDE_ACL
! Prevent LAND Attack
access-list 150 deny ip host 139.130.130.34 host 139.130.130.34 log
! IP address spoof protection
access-list 150 deny ip 127.0.0.0 0.255.255.255 any log
access-list 150 deny ip 10.0.0.0 0.255.255.255 any log
access-list 150 deny ip 0.0.0.0 0.255.255.255 any log
access-list 150 deny ip 172.16.0.0 0.15.255.255 any log
access-list 150 deny ip 192.168.0.0 0.0.255.255 any log
access-list 150 deny ip 192.0.2.0 0.0.0.255 any log
access-list 150 deny ip 169.254.0.0 0.0.255.255 any log
access-list 150 deny ip host 255.255.255.255 any log
access-list 150 deny ip host 0.0.0.0 any log
! ICMP filters
access-list 150 deny icmp any any redirect log
access-list 150 deny icmp any any echo log
access-list 150 deny icmp any any mask-request log
! Deny all and log port numbers
access-list 150 deny tcp any range 0 65535 any range 0 65535 log
access-list 150 deny udp any range 0 65535 any range 0 65535 log
access-list 150 deny ip any any log
12-15-2011 08:41 AM
Well,
ICMP is not permitted to come back. Remember that traffic generated from the router is not subject to inspection (unless the keyword router-traffic is included). For that you will need to add one more acl that allow icmp to that specific domain.
Permit icmp any host 10.dyndns-at-home.com echo-reply
That way it will be permitted. Remember to put it on the first lines to avoid the final deny ip any any.
Let me know.
Mike
12-15-2011 08:52 AM
Yeah, I ended up editing it more than that. Below is what I have so far. It seemed that it was just too locked down for anything to get through. Do you recommend adding or changing anything? Everything works right now, knock on wood.
access-list 150 remark OUTSIDE_TO_INSIDE_ACL
access-list 150 permit udp any any eq bootpc
access-list 150 permit udp any any eq bootps
access-list 150 permit udp any eq bootps any eq bootpc
access-list 150 permit udp any host 10.dyndns-at-home.com eq 500
access-list 150 permit udp any host 10.dyndns-at-home.com eq 4500
access-list 150 permit udp any host 10.dyndns-at-home.com eq isakmp
access-list 150 permit esp any host 10.dyndns-at-home.com
access-list 150 permit icmp any any echo-reply
access-list 150 permit icmp any any time-exceeded
access-list 150 permit icmp any any unreachable
access-list 150 permit icmp any any packet-too-big
access-list 150 permit ip 192.168.16.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 150 permit ip 192.168.15.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 150 permit udp host proxy.sip-ua.com host 10.dyndns-at-home.com
! Prevent LAND Attach
access-list 150 deny ip host 139.130.130.34 host 139.130.130.34 log
! IP address spoof protection
access-list 150 deny ip 127.0.0.0 0.255.255.255 any log
access-list 150 deny ip 169.254.0.0 0.0.255.255 any log
access-list 150 deny ip host 255.255.255.255 any log
access-list 150 deny ip host 0.0.0.0 any log
! ICMP filters
access-list 150 deny icmp any any redirect log
access-list 150 deny icmp any any mask-request log
! Deny all and log port numbers
access-list 150 deny ip any any log
Robert
12-15-2011 09:38 AM
I like it, however, I dont know what is the reason for this:
access-list 150 permit ip 192.168.16.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 150 permit ip 192.168.15.0 0.0.0.255 192.168.0.0 0.0.255.255
Nothing on the internet should come with those private IP addresses.
Mike
12-15-2011 09:47 AM
You are right. Here is the weird part. Those two LANs reside on a distant site that come across an IPSEC Tunnels (two tunnels). When I blocked those private addresses, I started noticing traffic from those IP’s were being blocked via the ACL. I just did a terminal monitor in a SSH at the router and the page was going nuts with blocks. The IP’s were legit and were trying to get to resources on my LAN. What is confusing is how would the interface even sees those ips if they are inside an encrypted tunnel.
Robert Craig
Fort Huachuca, AZ 85613
520-226-9505 (Home)
760-583-8270 (Cell)
520-843-0759 (Fax)
12-15-2011 09:51 AM
Agree.
You were seeing drops for all that subnet or for certain hosts?
Mike
12-15-2011 09:53 AM
Certain hosts that I know were legit in the other LAN.
Robert Craig
Fort Huachuca, AZ 85613
520-226-9505 (Home)
760-583-8270 (Cell)
520-843-0759 (Fax)
12-15-2011 10:09 AM
Mmm, alright.. all kind of traffic or certain?
What you can do is remove those lines, put the ip inspect log drop-pkt and check the logs for packets drops because of firewall.
Mike
12-15-2011 10:11 AM
Would this be internal log? I don’t have a server collecting logs yet.
Robert Craig
Fort Huachuca, AZ 85613
520-226-9505 (Home)
760-583-8270 (Cell)
520-843-0759 (Fax)
12-15-2011 10:14 AM
If you put the command term mon on exec mode, the logs will appear on the current ssh/telnet session that you have, if you are in console, they should appear inmediatly with no command intervention.
Mike
12-15-2011 10:16 AM
OK, I took out the two lines allowing those privates in. I didn’t add the denys back at the bottom, but here is the message I am getting from one of my hosts.
list 150 denied tcp 192.168.16.6(36322) -> 192.168.1.253(5060), 1 packet
16.6 is an exchange server on lan side in Arkansas
1.253 is a call manager on my side in Arizona
I have a SIP trunk between the two for Exchange Voicemail
Robert Craig
Fort Huachuca, AZ 85613
520-226-9505 (Home)
760-583-8270 (Cell)
520-843-0759 (Fax)
12-15-2011 10:36 AM
Robert,
It could be due to the fact that this connection was not on the state table. That being said, try the following:
ip inspect name FW sip
Do you have this ACL 150 only applied on the outside interface in the inbound direction?
Mike
12-15-2011 10:40 AM
Yes, I already have the SIP rule turned on. And yes, it is applied
Ip access-group 150 in
That’s not the only thing appearing. I am seeing clients in Arkansas trying to connect to a printer on my end, as well as LDAP traffic trying to get to a server here as well.
Robert Craig
Fort Huachuca, AZ 85613
520-226-9505 (Home)
760-583-8270 (Cell)
520-843-0759 (Fax)
12-15-2011 10:54 AM
What I meant was if this ACL was only applied to the outside interface, (trying to check if you had it applied elsewhere)
The ip inspect log drop-pkt should show you FW logs, the ones that you grabbed are regular ACLs.This is why I think there is another ACL that may be dropping the packets.
Mike
12-15-2011 10:57 AM
OK, I see. Where do I apply that statement at?
Robert Craig
Fort Huachuca, AZ 85613
520-226-9505 (Home)
760-583-8270 (Cell)
520-843-0759 (Fax)
12-15-2011 11:01 AM
At global configuration mode.
Mike
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: