Re: Perimeter interface ACL - Page 2

Robert Craig · ‎12-13-2011

I want to lock down my router that connects to the cable modem. Now, I thought it would be simple to just block everything incoming via an ACL, but as soon as I applied the below ACL, even the clients that are being NAT'd couldn't get to the internet. This router is performing NAT for the internal network, as well as terminating client/network IPSEC tunnels. Any ideas on how to approach this?

access-list 150 remark OUTSIDE_TO_INSIDE_ACL

! Prevent LAND Attack

access-list 150 deny ip host 139.130.130.34 host 139.130.130.34 log

! IP address spoof protection

access-list 150 deny ip 127.0.0.0 0.255.255.255 any log

access-list 150 deny ip 10.0.0.0 0.255.255.255 any log

access-list 150 deny ip 0.0.0.0 0.255.255.255 any log

access-list 150 deny ip 172.16.0.0 0.15.255.255 any log

access-list 150 deny ip 192.168.0.0 0.0.255.255 any log

access-list 150 deny ip 192.0.2.0 0.0.0.255 any log

access-list 150 deny ip 169.254.0.0 0.0.255.255 any log

access-list 150 deny ip host 255.255.255.255 any log

access-list 150 deny ip host 0.0.0.0 any log

! ICMP filters

access-list 150 deny icmp any any redirect log

access-list 150 deny icmp any any echo log

access-list 150 deny icmp any any mask-request log

! Deny all and log port numbers

access-list 150 deny tcp any range 0 65535 any range 0 65535 log

access-list 150 deny udp any range 0 65535 any range 0 65535 log

access-list 150 deny ip any any log

Maykol Rojas · ‎12-15-2011

Well,

ICMP is not permitted to come back. Remember that traffic generated from the router is not subject to inspection (unless the keyword router-traffic is included). For that you will need to add one more acl that allow icmp to that specific domain.

Permit icmp any host 10.dyndns-at-home.com echo-reply

That way it will be permitted. Remember to put it on the first lines to avoid the final deny ip any any.

Let me know.

Mike

Robert Craig · ‎12-15-2011

Yeah, I ended up editing it more than that. Below is what I have so far. It seemed that it was just too locked down for anything to get through. Do you recommend adding or changing anything? Everything works right now, knock on wood.

access-list 150 remark OUTSIDE_TO_INSIDE_ACL

access-list 150 permit udp any any eq bootpc

access-list 150 permit udp any any eq bootps

access-list 150 permit udp any eq bootps any eq bootpc

access-list 150 permit udp any host 10.dyndns-at-home.com eq 500

access-list 150 permit udp any host 10.dyndns-at-home.com eq 4500

access-list 150 permit udp any host 10.dyndns-at-home.com eq isakmp

access-list 150 permit esp any host 10.dyndns-at-home.com

access-list 150 permit icmp any any echo-reply

access-list 150 permit icmp any any time-exceeded

access-list 150 permit icmp any any unreachable

access-list 150 permit icmp any any packet-too-big

access-list 150 permit ip 192.168.16.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 150 permit ip 192.168.15.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 150 permit udp host proxy.sip-ua.com host 10.dyndns-at-home.com

! Prevent LAND Attach

access-list 150 deny ip host 139.130.130.34 host 139.130.130.34 log

! IP address spoof protection

access-list 150 deny ip 127.0.0.0 0.255.255.255 any log

access-list 150 deny ip 169.254.0.0 0.0.255.255 any log

access-list 150 deny ip host 255.255.255.255 any log

access-list 150 deny ip host 0.0.0.0 any log

! ICMP filters

access-list 150 deny icmp any any redirect log

access-list 150 deny icmp any any mask-request log

! Deny all and log port numbers

access-list 150 deny ip any any log

Robert

Maykol Rojas · ‎12-15-2011

I like it, however, I dont know what is the reason for this:

access-list 150 permit ip 192.168.16.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 150 permit ip 192.168.15.0 0.0.0.255 192.168.0.0 0.0.255.255

Nothing on the internet should come with those private IP addresses.

Mike

Robert Craig · ‎12-15-2011

You are right. Here is the weird part. Those two LANs reside on a distant site that come across an IPSEC Tunnels (two tunnels). When I blocked those private addresses, I started noticing traffic from those IP’s were being blocked via the ACL. I just did a terminal monitor in a SSH at the router and the page was going nuts with blocks. The IP’s were legit and were trying to get to resources on my LAN. What is confusing is how would the interface even sees those ips if they are inside an encrypted tunnel.

Robert Craig

Fort Huachuca, AZ 85613

520-226-9505 (Home)

760-583-8270 (Cell)

520-843-0759 (Fax)

Maykol Rojas · ‎12-15-2011

Agree.

You were seeing drops for all that subnet or for certain hosts?

Mike

Robert Craig · ‎12-15-2011

Certain hosts that I know were legit in the other LAN.

Robert Craig

Fort Huachuca, AZ 85613

520-226-9505 (Home)

760-583-8270 (Cell)

520-843-0759 (Fax)

Maykol Rojas · ‎12-15-2011

Mmm, alright.. all kind of traffic or certain?

What you can do is remove those lines, put the ip inspect log drop-pkt and check the logs for packets drops because of firewall.

Mike

Robert Craig · ‎12-15-2011

Would this be internal log? I don’t have a server collecting logs yet.

Robert Craig

Fort Huachuca, AZ 85613

520-226-9505 (Home)

760-583-8270 (Cell)

520-843-0759 (Fax)

Maykol Rojas · ‎12-15-2011

If you put the command term mon on exec mode, the logs will appear on the current ssh/telnet session that you have, if you are in console, they should appear inmediatly with no command intervention.

Mike

Robert Craig · ‎12-15-2011

OK, I took out the two lines allowing those privates in. I didn’t add the denys back at the bottom, but here is the message I am getting from one of my hosts.

list 150 denied tcp 192.168.16.6(36322) -> 192.168.1.253(5060), 1 packet

16.6 is an exchange server on lan side in Arkansas

1.253 is a call manager on my side in Arizona

I have a SIP trunk between the two for Exchange Voicemail

Robert Craig

Fort Huachuca, AZ 85613

520-226-9505 (Home)

760-583-8270 (Cell)

520-843-0759 (Fax)

Maykol Rojas · ‎12-15-2011

Robert,

It could be due to the fact that this connection was not on the state table. That being said, try the following:

ip inspect name FW sip

Do you have this ACL 150 only applied on the outside interface in the inbound direction?

Mike

Robert Craig · ‎12-15-2011

Yes, I already have the SIP rule turned on. And yes, it is applied

Ip access-group 150 in

That’s not the only thing appearing. I am seeing clients in Arkansas trying to connect to a printer on my end, as well as LDAP traffic trying to get to a server here as well.

Robert Craig

Fort Huachuca, AZ 85613

520-226-9505 (Home)

760-583-8270 (Cell)

520-843-0759 (Fax)

Maykol Rojas · ‎12-15-2011

What I meant was if this ACL was only applied to the outside interface, (trying to check if you had it applied elsewhere)

The ip inspect log drop-pkt should show you FW logs, the ones that you grabbed are regular ACLs.This is why I think there is another ACL that may be dropping the packets.

Mike

Robert Craig · ‎12-15-2011

OK, I see. Where do I apply that statement at?

Robert Craig

Fort Huachuca, AZ 85613

520-226-9505 (Home)

760-583-8270 (Cell)

520-843-0759 (Fax)

Maykol Rojas · ‎12-15-2011

At global configuration mode.

Mike